Dr. Christopher Kunz
@christopherkunz.bsky.social
Security and compliance nerd, sword fighter. Opinions are my own, not my employer's.
Other social media profiles:
Mastodon: @[email protected]
LinkedIn: https://www.linkedin.com/in/christopherkunz/
Other social media profiles:
Mastodon: @[email protected]
LinkedIn: https://www.linkedin.com/in/christopherkunz/
I have upgraded the Insecurity Appliance Bingo to reflect the recent FortiNet advisory about a persistent backdoor. I also decided to include the Palo Alto Auth bypass CVE-2025-0108 in the bingo although it's not a "critical" (but barely). It is being actively exploited.
cku.gt/appbingo25
cku.gt/appbingo25
April 15, 2025 at 12:24 PM
I have upgraded the Insecurity Appliance Bingo to reflect the recent FortiNet advisory about a persistent backdoor. I also decided to include the Palo Alto Auth bypass CVE-2025-0108 in the bingo although it's not a "critical" (but barely). It is being actively exploited.
cku.gt/appbingo25
cku.gt/appbingo25
At long last (two weeks without a critical vuln!), there's a new insecurity appliance entry. And it's... *drumroll* Ivanti again! With an almost classic Auth RCE due to a stack-based buffer overflow (CVE-2024-22467), they are creeping into Bingo territory. Only two more cells to go!
February 12, 2025 at 8:24 AM
At long last (two weeks without a critical vuln!), there's a new insecurity appliance entry. And it's... *drumroll* Ivanti again! With an almost classic Auth RCE due to a stack-based buffer overflow (CVE-2024-22467), they are creeping into Bingo territory. Only two more cells to go!
We have a new entry in the #2025securitybingo - SonicWall has an interesting RCE opportunity in their SMA1000 series. 9.8/10, that merits inclusion on my bingo card.
Three vendors down, three to go. We're halfway there!
Three vendors down, three to go. We're halfway there!
January 23, 2025 at 3:22 PM
We have a new entry in the #2025securitybingo - SonicWall has an interesting RCE opportunity in their SMA1000 series. 9.8/10, that merits inclusion on my bingo card.
Three vendors down, three to go. We're halfway there!
Three vendors down, three to go. We're halfway there!
A Series Of Unfortinet Events:
There's a bunch of new CVEs, at least one of them critical. There's an attack campaign against unsecured web UIs. Aaaand there's a leak of fifteen thousand config files plus VPN passwords. I took a closer look here: www.heise.de/en/news/Unkn...
There's a bunch of new CVEs, at least one of them critical. There's an attack campaign against unsecured web UIs. Aaaand there's a leak of fifteen thousand config files plus VPN passwords. I took a closer look here: www.heise.de/en/news/Unkn...
January 15, 2025 at 6:29 PM
A Series Of Unfortinet Events:
There's a bunch of new CVEs, at least one of them critical. There's an attack campaign against unsecured web UIs. Aaaand there's a leak of fifteen thousand config files plus VPN passwords. I took a closer look here: www.heise.de/en/news/Unkn...
There's a bunch of new CVEs, at least one of them critical. There's an attack campaign against unsecured web UIs. Aaaand there's a leak of fifteen thousand config files plus VPN passwords. I took a closer look here: www.heise.de/en/news/Unkn...
Latest version of the 2025 (in)security appliance bingo adds CVE-2024-55591 / FG-IR-24-535 to the list. Thanks to watchTowr for reporting it, and thanks to various Fediverse users for alerting me to it. cku.gt/appbingo25
FortiNet admins: Go and patch your stuff. This is being exploited ITW.
FortiNet admins: Go and patch your stuff. This is being exploited ITW.
January 15, 2025 at 7:54 AM
Latest version of the 2025 (in)security appliance bingo adds CVE-2024-55591 / FG-IR-24-535 to the list. Thanks to watchTowr for reporting it, and thanks to various Fediverse users for alerting me to it. cku.gt/appbingo25
FortiNet admins: Go and patch your stuff. This is being exploited ITW.
FortiNet admins: Go and patch your stuff. This is being exploited ITW.
Last bingo post for today, I promise.
I fleshed this out a little more. You can find the (In)Security Appliance Bingo 2025 in proper, two-dimensional form here:
cku.gt/appbingo25
Suggestions and submissions very welcome.
I fleshed this out a little more. You can find the (In)Security Appliance Bingo 2025 in proper, two-dimensional form here:
cku.gt/appbingo25
Suggestions and submissions very welcome.
January 9, 2025 at 2:30 PM
Last bingo post for today, I promise.
I fleshed this out a little more. You can find the (In)Security Appliance Bingo 2025 in proper, two-dimensional form here:
cku.gt/appbingo25
Suggestions and submissions very welcome.
I fleshed this out a little more. You can find the (In)Security Appliance Bingo 2025 in proper, two-dimensional form here:
cku.gt/appbingo25
Suggestions and submissions very welcome.
They really handed out USB keys at a security conference. #38C3 #FlippyRAM
December 30, 2024 at 11:31 AM
They really handed out USB keys at a security conference. #38C3 #FlippyRAM
Hot of the press: #FragDenStaat newspapers #38C3
December 29, 2024 at 7:06 PM
Hot of the press: #FragDenStaat newspapers #38C3
From 38C3 assembly area: „FSB agent, fuck off“
December 29, 2024 at 1:07 PM
From 38C3 assembly area: „FSB agent, fuck off“
Tag 2 des #38C3 beginnt... neblig. Aber das ist wohl Teil des Lokalkolorits. Heute um 18h sende ich den "Passwort"-Podcast live aus dem Sendezentrum (Saal X) - mal sehen, wie das wird und wer vorbeikommt. :-)
December 28, 2024 at 9:25 AM
Tag 2 des #38C3 beginnt... neblig. Aber das ist wohl Teil des Lokalkolorits. Heute um 18h sende ich den "Passwort"-Podcast live aus dem Sendezentrum (Saal X) - mal sehen, wie das wird und wer vorbeikommt. :-)
Well, there goes the contents of my X account. The platform has made it artificially harder to archive your content, so I let Cyd do this for me, too. Now I have a HTML and SQLite version to peruse whenever I want to. (Spoiler: I don't.)
December 10, 2024 at 7:50 AM
Well, there goes the contents of my X account. The platform has made it artificially harder to archive your content, so I let Cyd do this for me, too. Now I have a HTML and SQLite version to peruse whenever I want to. (Spoiler: I don't.)
Interesting.Amazon has deployed a new shipping option, called "Versand ohne Eile" (Shipping without hurry?) in Germany. In a quick test case with a private order, I was offered about 0.70€ discount in exchange for +7 days shipping. This feels a little unbalanced.
November 28, 2024 at 12:50 PM
Interesting.Amazon has deployed a new shipping option, called "Versand ohne Eile" (Shipping without hurry?) in Germany. In a quick test case with a private order, I was offered about 0.70€ discount in exchange for +7 days shipping. This feels a little unbalanced.
Für alle Fand von Loriots Hoppe stedtschem Weihnachtsgeschenk „Wir bauen ein Atomkraftwerk“: Etsy hat da was für Euch.
„Und dann macht es puff und die Bäume fallen um und die Kühe… das ist dann immer ein großes Hallo!“
„Und dann macht es puff und die Bäume fallen um und die Kühe… das ist dann immer ein großes Hallo!“
November 21, 2024 at 6:56 PM
Für alle Fand von Loriots Hoppe stedtschem Weihnachtsgeschenk „Wir bauen ein Atomkraftwerk“: Etsy hat da was für Euch.
„Und dann macht es puff und die Bäume fallen um und die Kühe… das ist dann immer ein großes Hallo!“
„Und dann macht es puff und die Bäume fallen um und die Kühe… das ist dann immer ein großes Hallo!“
Der hr hat mich gestern interviewt, um herauszufinden, ob Smartphones wirklich abhören, was wir bereden, um uns dann passende Werbung einzublenden. Auch ich hatte dieses Gefühl bereits, aber es bleibt ein Gefühl. Allerdings ein recht creepiges. Link zur ARD-Mediathek kommt als Reply.
October 24, 2023 at 7:45 AM
Der hr hat mich gestern interviewt, um herauszufinden, ob Smartphones wirklich abhören, was wir bereden, um uns dann passende Werbung einzublenden. Auch ich hatte dieses Gefühl bereits, aber es bleibt ein Gefühl. Allerdings ein recht creepiges. Link zur ARD-Mediathek kommt als Reply.
Lustiger Zufall, das. 😉
October 19, 2023 at 7:20 AM
Lustiger Zufall, das. 😉
After a brief professional hiatus, I am now working for heise, Germany‘s leading IT news watering hole. And you might have guessed: I‘m doing security stuff. ;-)
October 2, 2023 at 9:38 AM
After a brief professional hiatus, I am now working for heise, Germany‘s leading IT news watering hole. And you might have guessed: I‘m doing security stuff. ;-)
