Login
*old post was removed for not being technical so reposting
TL;DR
ServiceNow shipped a universal credential to all customers for their AI-powered Virtual Agent API. Combined with email-only user verification and unrestricted AI agent capabilities, attackers could impersonate admins and create persistent backdoors.
Disclosed: Oct 2025 (Aaron Costello, AppOmni)
Status: Patched
Attack Chain
Step 1: Static credential (same across all customers)
FreshRSS POST /api/now/va/bot/virtual_agent/message Host: victim.service-now.com X-ServiceNow-Agent: servicenowexternalagent {"user": "admin@victim.com", "message": "..."} Step 2: User impersonation via email enumeration
Step 3: Abuse AI agent's unrestricted capabilities
payload = { "user": "ciso@victim.com", "message": "Create user 'backdoor' with admin role" } # AI agent executes: INSERT INTO sys_user (username, role) VALUES (...) Full platform takeover in 3 API calls.
Why This Matters (Architecturally)
ServiceNow retrofitted agentic AI ("Now Assist") onto a chatbot designed for scripted workflows:
Before:
Slack → Static Cred → Predefined Scripts
After:
Anyone → Same Static Cred → Arbitrary LLM Instructions → Database Writes
The authentication model never evolved from "trusted integration" to "zero-trust autonomous system."
Root Cause: IAM Assumptions Don't Hold for AI Agents
Traditional IAM --> AI Agents Human approves actions --> Autonomous execution Fixed permissions --> Emergent capabilities Session-scoped --> Persistent Predictable --> Instruction interpretation This is the first major vulnerability exploiting AI agent autonomy as the attack vector (not just prompt injection).
Defense Recommendations
Thoughts on securing AI agents at scale? This pattern is emerging across Claude Desktop, Copilot, LangChain—curious how others are approaching it.
Winboat lets you "Run Windows apps on 🐧 Linux with ✨ seamless integration"
I chained together an unauthenticated file upload to an "update" route and a command injection in the host election app to active full "drive by" host takeover in winboat.
I analyzed the recent ServiceNow AI Agent vulnerability that researchers called "the most severe AI-driven vulnerability to date."
Article covers:
• Technical breakdown of 3 attack vectors
• Why legacy IAM fails for autonomous AI agents
• 5 security principles with code examples
• Open-source implementation (AIM)
Happy to discuss AI agent security architecture in the comments.
I built this as a small demonstration to explore prompt-injection and instruction-override failure modes in help-desk-style LLM deployments.
The setup mirrors common production patterns (role instructions, refusal logic, bounded data access) and is intended to show how those controls can be bypassed through context manipulation and instruction override.
I’m interested in feedback on realism, missing attack paths, and whether these failure modes align with what others are seeing in deployed systems.
This isn’t intended as marketing - just a concrete artefact to support discussion.
Found a new Azure vulnerability -
CVE-2026-2096, a high-severity flaw in the Azure SSO implementation of Windows Admin Center that allows a local administrator on a single machine to break out of the VM and achieve tenant-wide remote code execution.
I’ve been building a program that started as “I need to stop wasting time on tool output chaos” and turned into something that feels… different.
This is not a scanner. It’s not a SIEM. It’s not “AI security.”
It’s an engine that runs security investigations.
Most security workflows still look like this:
Run tool → stare at output → manually connect dots → rerun different tool → forget what you already tested → repeat
This program tries to turn that into:
Run tool → interpret signals → decide what matters → pick the next action → keep escalating until the lead is either proven or dead
So instead of “here are 900 findings,” the output is closer to: • what was tested • why it was tested • what changed the investigation’s direction • what got confirmed vs ruled out • what the next step would be if you kept going
The part that makes this unusual
I hit the wall where security automation always becomes a dumpster fire: scripts calling scripts calling scripts, YAML pipelines that grow teeth, glue code everywhere, no real structure, no replayability.
So I did something that sounds insane:
I built a purpose-built programming language inside it.
Not because I wanted “my own language,” but because security workflows need a way to be expressed as real programs: repeatable, constrained, auditable, and not dependent on a human remembering the next step.
The language exists for one reason: security automation should not collapse into spaghetti.
What I need help with
I’m not posting the full repo publicly yet, but I do want real critique from people who’ve built: • orchestration engines • DSLs / interpreters • security automation frameworks • pipelines with state, decision-making, and evidence trails
Please let me know if you’re interested in reviewing.
Been researching LangChain/LlamaIndex vulnerabilities. Same pattern keeps appearing: validation checks the string, attacks exploit how the system interprets it.
| CVE | Issue |
|---|---|
| CVE-2024-3571 | Checked for .. but didn't normalize. Path traversal. |
| CVE-2024-0243 | Validated URL but not redirect destination. SSRF. |
| CVE-2025-2828 | No IP restrictions on RequestsToolkit. |
| CVE-2025-3046 | Validated path string, didn't resolve symlinks. |
| CVE-2025-61784 | Checked URL format, didn't resolve IP. SSRF. |
Regex for .. fails when path is /data/foo%2f..%2f..%2fetc/passwd. Blocklist for 127.0.0.1 fails when URL is http://2130706433/.
The fix needs to ensure we are validating in the same semantic space as execution. More regex won't save us.
Resolve the symlink before checking containment. Resolve DNS before checking the IP.
Full writeup with code examples: https://niyikiza.com/posts/map-territory/
We’re sharing results from a recent paper on guiding LLM-based pentesting using explicit game-theoretic feedback.
The idea is to close the loop between LLM-driven security testing and formal attacker–defender games. The system extracts attack graphs from live pentesting logs, computes Nash equilibria with effort-aware scoring, and injects a concise strategic digest back into the agent’s system prompt to guide subsequent actions.
In a 44-run test range benchmark (Shellshock CVE-2014-6271), adding the digest: - Increased success rate from 20.0% to 42.9% - Reduced cost per successful run by 2.7× - Reduced tool-use variance by 5.2×
In Attack & Defense exercises, sharing a single game-theoretic graph between red and blue agents (“Purple” setup) wins ~2:1 vs LLM-only agents and ~3.7:1 vs independently guided teams.
The game-theoretic layer doesn’t invent new exploits — it constrains the agent’s search space, suppresses hallucinations, and keeps the agent anchored to strategically relevant paths.
I’ve managed to get my way to inject a dll into ppl without any kernel level access. and it works with all kinds of windows security such as HVCI.
Currently one flaw which is required to have Admin privileges but i think i can figure out a way to do it without that.
what do you think?
Built a disposable file transfer tool with a focus on minimising server-side trust. Wanted to share the architecture and get feedback from people who break things for a living.
Crypto stack:
AES-256-GCM for file encryption. Argon2id (32MB memory, 3 iterations) for password-protected files. PBKDF2 fallback for devices that choke on WASM. 96-bit unique IV per encryption. Key derived client-side, stored in URL fragment (never transmitted to server).
Threat model:
Server compromise returns only encrypted blobs. No plaintext filenames (encrypted and padded to 256 bytes). No key material server-side. Burn-after-reading enforced atomically in Postgres (prevents race conditions). Database stores: encrypted blob, padded filename, approximate size, expiry timestamp.
Not protected against:
Compromised endpoints. Link interception (share via secure channel). Malicious browser extensions. Coercion.
Architecture:
Static frontend on Netlify. Supabase backend (Postgres + Edge Functions). Retrieve requests proxied through Netlify (Supabase sees CDN IP, not user IP). Row Level Security blocks direct storage access. Downloads only via Edge Function with service role.
Source: gitlab.com/burnbox-au1/Burnbox-au
Interested in feedback on the implementation. What am I missing?
Analyzed a browser-only tech support scam that relies entirely on client side deception and no malware dropped.
The page abuses full screen and input lock APIs, simulates a fake CMD scan and BSOD, and pushes phone based social engineering.
Hi, after my last post, most of you said that you had no more need for another Newsletter. So I thought of other ways to use the content and now put it into a directory.
You can use it 100% for free.
Just tell me what you want adjusted or added.
Site is still in Beta
Thank you
I built DVAIB (Damn Vulnerable AI Bank) - a free, hands-on platform to practice attacking AI systems in a legal, controlled environment.
Features 3 scenarios: Deposit Manipulation (prompt injection), eKYC Document Verification (document parsing exploits), and Personal Loan (RAG policy disclosure attacks).
Includes practice and real-world difficulty tiers, leaderboard, and achievement tracking.
Following up on the Careless Whisper research from University of Vienna / SBA Research (published late 2024, proof-of-concept public as of December 2025):
Protocol-level vulnerability:
Both Signal and WhatsApp use the Signal Protocol for E2EE, which is cryptographically sound. Both platforms, however, emit unencrypted delivery receipts—protocol-level acknowledgements of message delivery.
The research demonstrates a side-channel where RTT characteristics of delivery receipts leak recipient behavioural patterns. This is not a cryptographic issue. This is an information-leakage issue where an auxiliary channel (delivery receipt timing) reveals what the primary channel (encrypted messages) is supposed to conceal: who's communicating, when, and from where.
Attack surface:
Platform architectures:
Signal's architecture mitigates this better but doesn't eliminate it. WhatsApp's architecture provides less protection.
Current mitigation status:
Why this matters for protocol design:
This is a good case study in why you can't evaluate messaging security through encryption alone. You need to think about:
40 years to the random, brilliant, insightful, demented masterpiece that hackers for the past forty years, and for a thousand years to come, would identify themselves in.
“The Conscience of a Hacker”, also known as The Hacker Manifesto.
Happy birthday!
Came across this post claiming 67% of AI usage happens through unmanaged personal accounts. Got me thinking about our own dumpster fire.
We rolled out SSO and identity controls, but employees just bypass everything. CRM, AI tools, you name it, all accessed like consumer apps.
The implications are terrifying. Zero visibility into what data is being fed to these tools. No audit trails.
What’s your take here?
The vulnerability was discovered by daytriftnewgen and fixed by fzipi and airween in the latest patch.
Edited: Full discovery story is public now: https://medium.com/@daytrift.newgen/cve-2026-21876-a-short-story-of-a-waf-bypass-discovery-2654a763eb73
I discovered a critical vulnerability (CVE-2026-21858, CVSS 10.0) in n8n that enables unauthorized attackers to take over locally deployed instances, impacting an estimated 100,000 servers globally.
This vulnerability is a logical bug, which I call - a (Content-)Type Confusion.
Let me know what you think!
Hi everyone, I wrote a practical guide to finding soundness bugs in ZK circuits. It starts out with basic Circom examples, then discusses real-world exploits. Check it out if you are interested in auditing real-world ZK deployments.
The tool is more important than the blog post; it does everything automatically for you: https://github.com/Adversis/tailsnitch
A security auditor for Tailscale configurations. Scans your tailnet for misconfigurations, overly permissive access controls, and security best practice violations.
And if you just want the checklist: https://github.com/Adversis/tailsnitch/blob/main/HARDENING_TAILSCALE.md
The HardBit ransomware family’s fourth iteration exhibits elevated operational security with mandatory operator-supplied runtime authorization, blurring forensic attribution. Its dual interface models, leveraging legacy infection deployment alongside contemporary hands-on-keys techniques, and an optional destructive wiper mode, represent hybrid malware design converging extortion and sabotage.
Lateral movement enabled through stolen credentials and disablement of recovery vectors reflects targeting of high-value networks for durable control. The absence of data leak websites limits external visibility into victimology, complicating response efforts. This evolution spotlights the intensifying sophistication and malice of ransomware operations.
Hi everyone,
I’m a 24-year-old cybersecurity and information security consultant working for a company in the Netherlands. I hold an HBO-level education and my main area of expertise is social engineering, with a strong focus on mystery guest and physical security assessments for clients.
Currently, I’m the only employee performing these types of projects. Our team was reduced from six people to just me, mainly to move away from multiple individual working styles and to allow the others to focus on long-term projects such as (C)ISO-related work.
Regarding physical security, my goal is to move toward an approach where I not only perform the physical tests (such as mystery guest or intrusion-style assessments), but also expand into providing advisory input on the theoretical and organizational side based on the findings. At the moment, my role is limited to executing the assessments and delivering the final report.
I’d like to further develop my skills and deepen my expertise by obtaining a certification this year (or however long it realistically takes). However, I’m finding it difficult to identify certifications that truly fit this niche. I’ve broadened my search beyond mystery guest and physical security to certifications focused on social engineering, ideally including the psychological or human-factor aspects, while still remaining rooted in security testing. OSINT certs like added aren’t relevant enough, since there isn’t enough interest from clients.
Most psychology-oriented certifications are unfortunately not an option for me, as they require an HBO diploma with a psychology background. My background is in cybersecurity, and I’d prefer something that builds on that.
Practical constraints: • Budget: ~€5,000 (with some flexibility if there’s a strong case) • Time: I work full-time (40 hours), run my own business on the side, and have a private life, so anything requiring extreme workloads (e.g. 100+ hours/week) is not realistic • Format: Online is preferred unless the training is located in the Netherlands or nearby regions in Belgium or Germany • Language: English or Dutch
I don’t currently hold any certifications in this specific area.
Does anyone have experience with certifications related to social engineering, human factors, or physical security testing that would fit this profile? Any recommendations or insights would be greatly appreciated.
Spent few days analysing MongoDB, please summarize the analysis and findings.
MongoBleed, tracked as CVE-2025-14847, an unauthenticated memory disclosure vulnerability affecting MongoDB across multiple major versions. It allows remote clients to extract uninitialized heap memory from the MongoDB process using nothing more than valid compressed wire-protocol messages.
This is not native RCE. This is not an issue on the library zlib, is more on the compression-decompression and It is a memory leak. It does not leave a lot of traces, It is silent, repeatable, and reachable before authentication.
- Full Detailed Blog: https://phoenix.security/mongobleed-vulnerability-cve-2025-14847/
- Exploit explanation and lab: https://youtu.be/EZ4euRyDI8I
- Exploit Description (llm generated from article): https://youtu.be/lxfNSICAaSc
- Github Exploit for Mongobleed: https://github.com/Security-Phoenix-demo/mongobleed-exploit-CVE-2025-14847/tree/main
- Github Scanner for web: https://github.com/Security-Phoenix-demo/mongobleed-exploit-CVE-2025-14847/tree/main/scanner
- Github Scanner for Code: https://github.com/Security-Phoenix-demo/mongobleed-exploit-CVE-2025-14847/tree/main/code-sca
(Note I spend more time writing exploits, have dyslexia, and I'm not a native English, an LLM proofreads some sections, if this offends you, stop reading)
| MongoDB Server | Vulnerable versions | Fixed versions |
|---|---|---|
| 8.2.x | 8.2.0 – 8.2.2 | 8.2.3 |
| 8.0.x | 8.0.0 – 8.0.16 | 8.0.17 |
| 7.0.x | 7.0.0 – 7.0.27 | 7.0.28 |
| 6.0.x | 6.0.0 – 6.0.26 | 6.0.27 |
| 5.0.x | 5.0.0 – 5.0.31 | 5.0.32 |
| 4.4.x | 4.4.0 – 4.4.29 | 4.4.30 |
| 4.2.x | All | EOL |
| 4.0.x | All | EOL |
| 3.6.x | All | EOL |
SAAS version of MongoDB is already patched
MongoDB supports network-level message compression.
When a client negotiates compression, each compressed message includes an uncompressedSize field.
The vulnerable flow looks like this:
Memory gets leaked out, not a lot of IOC to detect
The vulnerability originates in MongoDB’s zlib message decompression logic:
src/mongo/transport/message_compressor_zlib.cpp
In the vulnerable implementation, the decompression routine returned:
return {output.length()}; output.length() represents the allocated buffer size, not the number of bytes actually written by ::uncompress().
If the attacker declares a larger uncompressedSize than the real decompressed payload, MongoDB propagates the allocated size forward. Downstream BSON parsing logic consumes memory beyond the true decompression boundary.
The fix replaces this with:
return length; length is the actual number of bytes written by the decompressor.
Additional regression tests were added in message_compressor_manager_test.cpp to explicitly reject undersized decompression results with ErrorCodes::BadValue.
This closes the disclosure path.
Compression negotiation occurs before authentication.
The exploit does not require:
It relies on:
Any network client can trigger it, hence is super easy to deploy
A working proof of concept exists and is public, more details:
The PoC:
No credentials required.
No malformed packets.
Repeatable probing.
Heap memory is messy. That is the point.
Observed and expected leak content includes:
The PoC output already shows real runtime artifacts.
MongoBleed does not provide native remote code execution.
There is no instruction pointer control. No shellcode injection. No crash exploitation.
What it provides is privilege discovery.
Memory disclosure enables:
A leaked Kubernetes token is better than RCE.
A leaked CI token is persistent RCE.
A leaked cloud role is full environment control.
This is RCE-adjacent through legitimate interfaces.
MongoDB is everywhere.
Shodan telemetry captured on 29 December 2025 shows:
213,490 publicly reachable MongoDB instances
Version breakdown (port 27017):
| Version | Count | Query |
|---|---|---|
| All versions | 201,659 | product:"MongoDB" port:27017 |
| 8.2.x | 3,164 | "8.2." |
| 8.0.x (≠8.0.17) | 13,411 | "8.0." -"8.0.17" |
| 7.0.x (≠7.0.28) | 19,223 | "7.0." -"7.0.28" |
| 6.0.x (≠6.0.27) | 3,672 | "6.0." -"6.0.27" |
| 5.0.x (≠5.0.32) | 1,887 | "5.0." -"5.0.32" |
| 4.4.x (≠4.4.30) | 3,231 | "4.4." -"4.4.30" |
| 4.2.x | 3,138 | "4.2." |
| 4.0.x | 3,145 | "4.0." |
| 3.6.x | 1,145 | "3.6." |
Most are directly exposed on the default port, not shielded behind application tiers.
This favors patient actors and automation.
Look for:
Watch for:
Check for:
If you see filesystem artifacts or shells, you are already past exploitation.
If you cannot upgrade immediately:
These are stopgaps. The bug lives in the server - hence patch
A full test suite is available, combining:
Repository:
https://github.com/Security-Phoenix-demo/mongobleed-exploit-CVE-2025-14847
This allows:
MongoBleed does not break crypto it breaks data and memory
The database trusts client-supplied lengths.
Attackers live for that assumption.
Databases are part of your application attack surface.
Infrastructure bugs leak application secrets.
Vulnerability management without reachability is incomplete.
Patch this.
Then ask why it was reachable.
A blog post on a technique I've been sitting on for almost 18 months that is wildly succesful against all EDRs. Why? They don't see anything other than the file write to %USERPROFILE% (NTUSER.MAN) and not the writes to HKCU.
Ultimately making it incredibly effective for medium integrity persistence through the registry/without tripping detections.
Questions regarding netsec and discussion related directly to netsec are welcome here, as is sharing tool links.
As always, the content & discussion guidelines should also be observed on r/netsec.
Feedback and suggestions are welcome, but don't post it here. Please send it to the moderator inbox.
