After yet another workout where my sports watch completely lost GPS, I’d had enough. I decided to dig into its firmware and pinpoint the problem. I couldn’t find it published anywhere. No download section, no public archive, nothing. So, I changed tactics and went in through the Android app instead, […]

# Drawbot: Let’s Hack Something Cute! ## The Target A few months ago I realized I was overdue for a fun, quirky hardware project. Every so often I like to see what new and interesting electronic children’s toys are out there. When looking, I keep in mind the potential attack […]

Key Findings During the third quarter of 2025, we monitored more than **85 active data leak sites** (DLS) that collectively listed **1,592 new victims**. Compared to the **1,607 victims reported in Q2** 2025, the publication rate remained stable though it is still **notably higher** than the 1,270 victims recorded in […]

# Is It CitrixBleed4? Well, No. Is It Good? Also, No. (Citrix NetScaler Memory Leak & RXSS CVE-2025-12101) There’s an elegance to vulnerability research that feels almost poetic – the quiet dance between chaos and control. It’s the art of peeling back the layers of complexity, not to destroy but […]

Director of Research **Published:** 11 November 2025 at 14:41 UTC **Updated:** 11 November 2025 at 14:41 UTC If you’ve ever used Burp Intruder or Turbo Intruder, you’ll be familiar with the ritual of manually digging through thousands of responses by repeatedly sorting the table via length, status code, etc. I’ve […]

Researcher **Published:** 10 December 2025 at 12:32 UTC **Updated:** 10 December 2025 at 12:37 UTC This post shows how to achieve a full authentication bypass in the Ruby and PHP SAML ecosystem by exploiting several parser-level inconsistencies: including attribute pollution, namespace confusion, and a new class of Void Canonicalization attacks. […]

## **Information** 1. This is a solo CTF event open to women residing in Singapore or Malaysia. 2. To register and be eligible for the prizes: – Register on CTFd, and select the **“eligible”** bracket. – Confirm your eligibility by filling in the Google Form. 3. The flag format is […]

# What’s That Coming Over The Hill? (Monsta FTP Remote Code Execution CVE-2025-34299) Happy Friday, friends and.. others. We’re glad/sorry to hear that your week has been good/bad, and it’s the weekend/but at least it’s almost the weekend! ### What’re We Doing Today, Mr Fox? Today, in a tale that […]

_By: Dikla Barda, Roaman Zaikin & Oded Vanunu_ On November 3, 2025, Check Point Research’s blockchain monitoring systems detected a sophisticated exploit targeting Balancer V2’s ComposableStablePool contracts. The attacker exploited arithmetic precision loss in pool invariant calculations to drain **$128.64 million** across six blockchain networks in under 30 minutes. The […]

# Site Unseen: Enumerating and Attacking Active Directory Sites Active Directory Sites are a feature allowing to optimize network performance and bandwidth usage in AD internal environments. They are commonly implemented by large, geographically dispersed organizations spanning accross multiple countries or continents. Sites did not receive much attention by the […]