Stephen Fewer
@stephenfewer.bsky.social
Senior Principal Security Researcher at @rapid7.com. Specializing in software vulnerabilities and exploitation. stephenfewer.github.io
The auth bypass appears to be a patch bypass of an older 2018 vuln (CVE-2018-0296). The buffer overflow is in a Lua endpoint, but unsafe native code operations allow a buffer to be overflowed and memory corruption to occur.
October 6, 2025 at 8:39 AM
The auth bypass appears to be a patch bypass of an older 2018 vuln (CVE-2018-0296). The buffer overflow is in a Lua endpoint, but unsafe native code operations allow a buffer to be overflowed and memory corruption to occur.
and shout out to @iagox86.bsky.social who figured out the access control bypass part of this back in his 2023 analysis of the CVE-2023-0069 patch 🔥
September 24, 2025 at 1:35 PM
and shout out to @iagox86.bsky.social who figured out the access control bypass part of this back in his 2023 analysis of the CVE-2023-0069 patch 🔥
I just completed the reimplementation of the in-the-wild gadget to use the Msf::Util::DotNetDeserialization routines, so that part is much cleaner now, no more sketchy blobs of base64 😅
July 23, 2025 at 5:06 PM
I just completed the reimplementation of the in-the-wild gadget to use the Msf::Util::DotNetDeserialization routines, so that part is much cleaner now, no more sketchy blobs of base64 😅
This was an interesting challenge to go from a restricted character set "0123456789." for the overflow, to arbitrary RCE. Hat tip to watchTowr for diffing out the bug last Friday. PoC available here: github.com/sfewer-r7/CV...
GitHub - sfewer-r7/CVE-2025-22457
Contribute to sfewer-r7/CVE-2025-22457 development by creating an account on GitHub.
github.com
April 10, 2025 at 6:20 PM
This was an interesting challenge to go from a restricted character set "0123456789." for the overflow, to arbitrary RCE. Hat tip to watchTowr for diffing out the bug last Friday. PoC available here: github.com/sfewer-r7/CV...
Our @metasploit-r7.bsky.social exploit module for unauthenticated RCE against BeyondTrust Privileged Remote Access & Remote Support is now available. The exploit can either leverage CVE-2024-12356 and CVE-2025-1094 together, or solely leverage CVE-2025-1094 for RCE: github.com/rapid7/metas...
Exploit module for BeyondTrust Privileged Remote Access & Remote Support (CVE-2024-12356, CVE-2025-1094) by sfewer-r7 · Pull Request #19877 · rapid7/metasploit-framework
Overview
This pull request adds an unauthenticated RCE exploit module targeting BeyondTrust Privileged Remote Access & Remote Support, leveraging CVE-2024-12356 + CVE-2025-1094.
CVE-2024-12356 ...
github.com
February 13, 2025 at 4:05 PM
Our @metasploit-r7.bsky.social exploit module for unauthenticated RCE against BeyondTrust Privileged Remote Access & Remote Support is now available. The exploit can either leverage CVE-2024-12356 and CVE-2025-1094 together, or solely leverage CVE-2025-1094 for RCE: github.com/rapid7/metas...
We are also publishing our AttackerKB Rapid7 analysis for CVE-2024-12356 - Unauth RCE affecting BeyondTrust PRA & RS, which was exploited in the wild last Dec as 0day ...our analysis details leveraging the new PostgreSQL vuln CVE-2025-1094 for RCE! 👀 attackerkb.com/topics/G5s8Z...
attackerkb.com
February 13, 2025 at 4:05 PM
We are also publishing our AttackerKB Rapid7 analysis for CVE-2024-12356 - Unauth RCE affecting BeyondTrust PRA & RS, which was exploited in the wild last Dec as 0day ...our analysis details leveraging the new PostgreSQL vuln CVE-2025-1094 for RCE! 👀 attackerkb.com/topics/G5s8Z...
100% this!! They're amazing 😃
January 23, 2025 at 7:52 AM
100% this!! They're amazing 😃
PoC for CVE-2025-0282 targeting 22.7r2.4 can be found here: github.com/sfewer-r7/CV...
GitHub - sfewer-r7/CVE-2025-0282: PoC for CVE-2025-0282: A remote unauthenticated stack based buffer overflow affecting Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways
PoC for CVE-2025-0282: A remote unauthenticated stack based buffer overflow affecting Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways - sfewer-r7/CVE-2025-0282
github.com
January 16, 2025 at 3:52 PM
PoC for CVE-2025-0282 targeting 22.7r2.4 can be found here: github.com/sfewer-r7/CV...
Without a suitable info leak you have to brute force the 32bit base address of a shared library, and with 9 bits of entropy this can take upwards of 1.5 hours, although in practice it can be much quicker. Regardless of the time it takes to succeed, exploitation is reliable.
January 16, 2025 at 3:52 PM
Without a suitable info leak you have to brute force the 32bit base address of a shared library, and with 9 bits of entropy this can take upwards of 1.5 hours, although in practice it can be much quicker. Regardless of the time it takes to succeed, exploitation is reliable.