Get in touch

Research

Research Articles

When Audits Fail Part 2: From Pre-Auth SSRF to RCE in TRUfusion Enterprise

A pre-auth SSRF in TRUfusion Enterprise (CVE-2025-32355) allows external attackers to reach internal-only services via a misconfigured reverse proxy. This enables access to the internal Axis2 file-upload service "WsPortalV6UpDwAxis2Impl" using default credentials, while a path traversal in upload path handling (CVE-2025-59793) enables arbitrary file writes to web-accessible directories. Chained together, these flaws enable unauthenticated remote code execution.

Feb 16, 2026

Exploiting A Pre-Auth RCE in W3 Total Cache For WordPress <= 2.9.1 (CVE-2025-9501)

We recently came across a very brief vulnerability announcement made by WPScan about CVE-2025-9501, which is described as an "Unauthenticated Command Injection" in the quite famous W3 Total Cache plugin for WordPress affecting all versions up to 2.8.13. This immediately caught our attention because with 1+ million active installations, it is one of the more wide-spread plugins, which we've also encountered numerous times in our customer pentests.

Nov 19, 2025

When Audits Fail Part 1: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise

In early 2025, we encountered a mission-critical software component called TRUfusion Enterprise on the perimeter of one of our customers that is used to transfer highly sensitive data. Since Rocket Software claims that they are undergoing regular audits and also follow secure coding guidelines, we didn't expect to find much but to our surprise, it took us just two minutes to discover the first totally unsophisticated, but critical pre-auth path traversal vulnerability that already gave us admin rights.

Sep 30, 2025

SAP Emarsys SDK for Android Sensitive Data Leak (CVE-2023-6542)

In late 2023, we've discovered and coordinated a quite interesting vulnerability affecting the Emarsys SDK for Android versions 3.6.1 and below with the respective vendor, SAP. While the overall coordination process went smoothly, the security advisory published by SAP only had a brief and partially misleading description of the vulnerability: Due to the lack of proper authorization checks in Emarsys SDK for Android, an attacker can call a particular activity and can forward himself web pages and/or deep links without any validation directly from the host application.

Apr 10, 2025

WordPress GiveWP POP to RCE (CVE-2024-5932)

A few days ago, Wordfence published a blog post about a PHP Object Injection vulnerability affecting the popular Wordpress Plugin GiveWP in all versions donor_meta->get_meta() method. Bypassing stripslashes\_deep One thing that does not immediately stand out but will get important later is the usage of stripslashes_deep during the validation of the $user_info array, which contains the vulnerable user_title attribute: Why is that important?

Aug 26, 2024

Patch Diffing CVE-2023-28121 to Compromise a WooCommerce

Back in March 2023, I noticed an interesting security advisory that was published by Wordfence about a critical "Authentication Bypass and Privilege Escalation" (aka CVE-2023-28121) affecting the "WooCommerce Payments" plugin which has more than 600.000 active installs according to WordPress. Since one of my customers was running a WooCommerce instance with the vulnerable version of the plugin, but there wasn't a publicly available PoC/exploit back then, I decided to look at it and build an exploit for it.

Jul 3, 2023

WordPress Transposh: Exploiting a Blind SQL Injection via XSS

Introduction You probably have read about my recent swamp of CVEs affecting a WordPress plugin called Transposh Translation Filter, which resulted in more than $30,000 in bounties: [\[CVE-2021-24910\] Transposh &: It's still a limitation, but easy to work around: we're just going to replace the required comparison characters with a between x and y. We don't actually care about " and & since the payload doesn't really require them.

Jul 22, 2022

CVE-2018-7841: Schneider Electric U.Motion Builder Remote Code Execution 0-day

I came across an unauthenticated Remote Code Execution vulnerability (called CVE-2018-7841) on an IoT device which was apparently using a component provided by Schneider Electric called U.Motion Builder. While I've found it using my usual BurpSuite foo, I later noticed that there is already a public advisory about a very similar looking issue published by ZDI named Schneider Electric U.Motion Builder track\_import\_export SQL Injection Remote Code Execution Vulnerability (ZDI-17-378) aka CVE-2018-7765).

May 13, 2019

CVE-2017-14955: Win a Race Against Check_mk to Dump All Your Login Data

The authors of check\_mk have fixed a quite interesting vulnerability, which I have recently reported to them, called CVE-2017-14955 (sorry no fancy name here) affecting the oldstable version 1.2.8p25 and below of both check\_mk and check\_mk Enterprise. It's basically about a Race Condition vulnerability affecting the login functionality, which in the end leads to the disclosure of authentication credentials to an unauthenticated user.

Oct 18, 2017

CVE-2017-14956: AlienVault USM Leaks Sensitive Compliance Information via CSRF

I usually try to avoid blogging about Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities, just because they are basically everywhere - except if they can be used to achieve something cool ;-) In this specific case I have found a particularly interesting CSRF vulnerability, which allows attackers to extract very sensitive compliance information...from a costly security appliance! Security Appliances are vulnerable too!

Oct 13, 2017

OK Google, Give Me All Your Internal DNS Information!

In late January, I have found and reported a Server-Side Request Forgery (SSRF) vulnerability on toolbox.googleapps.com to Google's VRP, which could be used to discover and query internal Google DNS servers to extract all kinds of corporate information like used internal IP addresses across the company as well as A and NS records exposing all kinds of hosts like Google's Active Directory structures and also a fancy Minecraft server! :-) So here's a quick write-up about the vulnerability.

Mar 1, 2017

Magix Bug Bounty: magix.com (RCE, SQLi) and xara.com (LFI, XSS)

The German Magix Software GmbH rewarded me with a Hall of Fame listing and a free Magix Music Maker 2014 Premium license for my reports of several serious security issues in the online infrastructures of magix.com and xara.com, which could be used to break both sites entirely: At this point, I'd like to thank the Magix Security Team for their really fast and always transparent responses and the good coordination process as a whole. This is a perfect example of how the communication between the bug bounty operator and the researcher can satisfy both parties.

Apr 26, 2014

CVE-2013-3934: Kingsoft Office Writer v2012 8.1.0.3385 Buffer Overflow SafeSEH Bypass Exploit

Hello readers, Pop a calculator here, pop one there! I'm focusing on exploit development at the moment, because I love calculators ;-). My exploit targets the vulnerability described in CVE-2013-3934: Stack-based buffer overflow in Kingsoft Writer 2012 8.1.0.3030, as used in Kingsoft Office 2013 before 9.1.0.4256, allows remote attackers to execute arbitrary code via a long font name in a WPS file.

Nov 27, 2013

ABBS Audio Media Player v3.1 WinALL Exploit

A few weeks ago, one of my followers asked me if I can help him writing a functional exploit for the current version of the Audio Media Player by ABBS because he's experiencing problems with successfully exploiting a NULL-byte issue. All exploits that are available over at the Exploit Database like this one or even this Metasploit module are either only working on specific versions of Windows or are not working with the current version of the application.

May 5, 2013

TÜV-Nord Fixes Multiple XSS Flaws after Consulting the Data Security Officer of Niedersachsen

Hello readers! Take a moment and read the following article on Wikipedia about the German TÜV which is described as: TÜVs (German pronunciation: \[ˈtʏf\]; short for German: Technischer Überwachungs-Verein, English: Technical Inspection Association) are German organizations that work to validate the safety of products of all kinds to protect humans and the environment against hazards.

Mar 16, 2013

CVE-2014-2087: Free Download Manager CDownloads_Deleted:: UpdateDownload() Remote Code Execution

I've discovered another 0day Remote Code Execution flaw in a CNET.com Top10 software of its category, which has been downloaded more than 6 million times right now. Affected Versions and CVSS I've successfully verified the vulnerability in the following versions (but any older versions may be affected too): Free Download Manager v3.9.3 build 1360 (latest) Free Download Manager v3.8 build 1173 Free Download Manager v3.0 build 852 The CVSS score is 9,3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) because there is a little bit of user interaction needed.

Mar 13, 2013

Bypassing SafeSEH Memory Protection in Zoner Photo Studio v15

My last advisory IA42 "Zoner Photo Studio v15 Build3 (Zps.exe) Registry Value Parsing Local Buffer Overflow" looks like a general exploitable vulnerability, but it is quite interesting to exploit because there is a major memory protection in use: SafeSEH. But first of all, let's have a look at the PoC-Script, which demonstrates the vulnerability: The application loads the value from the "Issuer" Registry key during the launch and crashes: May the exploit development begin.

Nov 9, 2012

Ricoh DC Software DL-10 FTP Server (SR10.exe) Remote Buffer Overflow Vulnerability

This time I've found a more critical vulnerability with a CVSSv2 score of 7,5 coordinated by Secunia.com which has already been published on 2012-03-01, but due to a very unfortunate way of communication by Secunia, I haven't been informed about the release of the advisory - that's the reason for the late article on it :-( But anyways, this vulnerability is a perfect example of how not to react to confidentially reported security issues: Ricoh did not response to any of Secunia's notifications since my discovery and reporting of the bug on 2012-02-05. Even if it's not one of their flagship products, there are always customers who take care of their entire network security and who don't like security breaches at all!

Mar 21, 2012