This comprehensive security report investigates unpatchable vulnerabilities in Windows 10 and11, focusing on systemic flaws that resist traditional patching due to their deep integration intothe operating system’s architecture, hardware dependencies, and legacy compatibility requirements. These vulnerabilities, rooted in fundamental design choices and ecosystem constraints,pose significant challenges to securing millions of Windows devices worldwide. The report examines three critical vulnerabilities: legacy BIOS/UEFI firmware weaknesses, kernel memorymanagement flaws, and backward compatibility with legacy protocols. It provides a detailedtechnical analysis, exploitation vectors, detection challenges, and comprehensive mitigationstrategies. With Windows 10 approaching its end-of-support deadline in October 2025, theseflaws pose heightened risks, necessitating proactive defenses. This report adheres to responsible disclosure principles and aims to support Microsoft’s efforts to strengthen Windows securityin 2025.
In the high-stakes arena of cybersecurity, Microsoft Defender stands as a cornerstone ofWindows security, integrating a sophisticated array of defenses: the Antimalware Scan Interface (AMSI) for runtime script scanning, Endpoint Detection and Response (EDR) forreal-time telemetry, cloud-based reputation services for file analysis, sandboxing for isolated execution, and machine learning-driven heuristics for behavioral detection. Despiteits robust architecture, attackers increasingly bypass these defenses—not by exploitingcode-level vulnerabilities within the Microsoft Security Response Center’s (MSRC) service boundaries, but by targeting logical vulnerabilities in Defender’s decision-makingand analysis pipelines. These logical attacks manipulate the system’s own rules, turningits complexity into a weapon against it.This article series, Strengthening Microsoft Defender: Analyzing and Countering Logical Evasion Techniques, is designed to empower Blue Teams, security researchers, threathunters, and system administrators with the knowledge to understand, detect, and neutralize these threats. By framing logical evasion techniques as threat models and providingactionable Indicators of Compromise (IoCs) and defensive strategies, we aim to bridgethe gap between attacker ingenuity and defender resilience. Our approach is grounded inethical research, responsible disclosure, and practical application, ensuring that defenderscan anticipate and counter sophisticated attacks without crossing legal or ethical lines.
AI-powered hacking is surging in 2025—deepfakes, autonomous tools, and an AI arms race.
This comprehensive security report investigates unpatchable vulnerabilities in Windows 10 and11, focusing on systemic flaws that resist traditional patching due to their deep integration intothe operating system’s architecture, hardware dependencies, and legacy compatibility requirements. These vulnerabilities, rooted in fundamental design choices and ecosystem constraints,pose significant challenges to securing millions of Windows devices worldwide. The report examines three critical vulnerabilities: legacy BIOS/UEFI firmware weaknesses, kernel memorymanagement flaws, and backward compatibility with legacy protocols. It provides a detailedtechnical analysis, exploitation vectors, detection challenges, and comprehensive mitigationstrategies. With Windows 10 approaching its end-of-support deadline in October 2025, theseflaws pose heightened risks, necessitating proactive defenses. This report adheres to responsible disclosure principles and aims to support Microsoft’s efforts to strengthen Windows securityin 2025
I recently tested a language-learning site that used live frontend filtering to block HTML input (e.g., <img> <svg> tags were removed as you typed).
But by injecting the payload directly via browser console (without typing it), the input was submitted and stored.
Surprisingly, the XSS executed later on my own profile page — indicating stored execution from a DOM-based bypass.
I wrote a short write-up here:
enjoy
The Blog post about "Revisiting Cross Session Activation attacks" is now also public. Lateral Movement with code execution in the context of an active session?Here you go.
A critical double-free vulnerability has been discovered in the pipapo set module of the Linux kernel’s NFT subsystem. An unprivileged attacker can exploit this vulnerability by sending a specially crafted netlink message, triggering a double-free error with high stability. This can then be leveraged to achieve local privilege escalationץ
Hello! I recently created this forum for anyone who needs to find teammates for CTF or anyone who wants to talk about general cyber. It is completely free and ran from my pocket. I want to facilitate a place for cyber interestees of all levels to get together and compete. The goal is to build a more just, dignified cyber community through collaboration. If this interests you, feel free to check out ctflfg.com.
I’m the creator of the SSCV Framework (System Security Context Vector), an open-source project aimed at improving vulnerability risk scoring for real-world security teams.
Unlike traditional scoring models, SSCV incorporates exploitation context, business impact, and patch status to help prioritize patching more effectively. The goal is to help organizations focus on what actually matters—especially for teams overwhelmed by endless patch tickets and generic CVSS scores.
It’s fully open source and community-driven. Documentation, the scoring model, and implementation details are all available at the link below.
I welcome feedback, questions, and suggestion
Just found zorrochain.foundation, and it’s building a governance infrastructure that’s fully airgap-compatible.
No token, no speculation — just a system using entropy harvesting, offline ID, QR/USB syncing, and vault-based consensus.
No idea if it’s being audited, but conceptually it’s interesting for people thinking about zero-trust systems in collapse conditions.
Microsoft's security team has announced a new process mitigation policy to protect against file system redirection attacks. "Redirection Guard, when enabled, helps Windows apps prevent malicious junction traversal redirections, which could potentially lead to privilege escalation by redirecting FS operations from less privileged locations to more privileged ones.
I covered a fascinating post by Alexander Moch at ERNW about a boot-level Linux vulnerability that lets attackers inject code from the initramfs debug shell. Even with Secure Boot and encryption, a few key presses can drop you to a shell and allow persistent malware to be added.
Luckily, the fix is simple and involves kernel parameters. I break it down here:
https://nerds.xyz/2025/07/linux-initramfs-security-flaw-secure-boot-bypass/
Curious what others are doing to harden this layer.
How can a single .zip file show completely different content to different tools? Read my write up on HackArcana’s “Yet Another ZIP Trick” (75 pts) challenge about crafting a schizophrenic ZIP file.
This medium-difficulty Linux CTF involved:
• Directory bruteforcing to uncover hidden paths
• Remote File Inclusion (RFI) to access sensitive data
• Steganography and password cracking to extract credentials
• Python jail escape leading to privilege escalation
• Full root access gained via SSH
The write-up demonstrates the full exploitation flow — from initial web entry point to root access.
We’re part of the Object Management Group (OMG), which has issued a Request for Proposal (RFP) to develop a standardized approach to DevSecOps integration across the enterprise. If you or your organization are interested in contributing, you can view the full RFP here:
https://www.omg.org/cgi-bin/doc.cgi?c4i/2025-3-4
We’re currently working on a formal response at DIDO Solutions and are seeking constructive feedback and collaboration from the broader DevSecOps, cybersecurity, and infrastructure communities. Our goal is to shape a standard that reflects both technical realities and organizational constraints.
Attached: Requirements Overview (image)
This diagram outlines the role-based breakdown we're using as a foundation covering leadership, engineering, operations, QA, and compliance.
If you have suggestions, critiques, or want to contribute perspectives from the field, we’d love to hear from you. Please feel free to reply directly in the thread or leave comments on the google sheet. We will be converting it into a model by the end:
Overview
If you have open positions at your company for information security professionals and would like to hire from the /r/netsec user base, please leave a comment detailing any open job listings at your company.
We would also like to encourage you to post internship positions as well. Many of our readers are currently in school or are just finishing their education.
Please reserve top level comments for those posting open positions.
Rules & Guidelines
Include the company name in the post. If you want to be topsykret, go recruit elsewhere. Include the geographic location of the position along with the availability of relocation assistance or remote work.
You can see an example of acceptable posts by perusing past hiring threads.
Feedback
Feedback and suggestions are welcome, but please don't hijack this thread (use moderator mail instead.)
Questions regarding netsec and discussion related directly to netsec are welcome here, as is sharing tool links.
As always, the content & discussion guidelines should also be observed on r/netsec.
Feedback and suggestions are welcome, but don't post it here. Please send it to the moderator inbox.
Disclosure: I work at CyberArk
The research shows that Chrome’s AppBound cookie encryption relies on a key derivation process with limited entropy and predictable inputs. By systematically generating possible keys based on known parameters, an attacker can brute-force the correct encryption key without any elevated privileges or code execution. Once recovered, this key can decrypt any AppBound-protected cookies, completely undermining the isolation AppBound was intended to provide in enterprise environments.
We broke Chrome’s AppBound cookie encryption used in enterprise environments. Using timing-based attacks against the WebView lifecycle, we were able to recover encryption keys and decrypt secure cookies — no root or sandbox escape required. This affects managed Android profiles using MDM and AppBound mode.
(Short link) https://ost2.fyi/Fuzz1001
This course provides an introduction to fuzzing, a software testing technique used to identify security vulnerabilities, bugs, and unexpected behavior in programs. Participants will gain a thorough understanding of fuzzing, including its goals, techniques, and practical applications in software security testing. The course covers a wide range of topics, such as the fundamentals of fuzzing, its working process, and various categories like mutation-based, generation-based, and coverage-guided fuzzing.
Advanced topics include using Address Sanitizer (ASAN) for memory error detection and specialized instrumentation like PCGUARD and LTO mode. Real-world exercises feature CVE analysis in software like Xpdf, libexif, and tcpdump, providing hands-on experience in applying fuzzing techniques to uncover vulnerabilities.
By the end of the course, participants will be equipped with the knowledge and skills to effectively use fuzzing to improve software security.