🦘🛜Compromising bastion host to gain full control over the internal infrastructure.
Read more about the vulnerabilities we uncovered in JumpServer in our recent blog post:

https://www.sonarsource.com/blog/diving-into-jumpserver-attackers-gateway-to-internal-networks-1-2?utm_medium=social&utm_source=mastodon&utm_campaign=research&utm_content=blog-diving-into-jumpserver-attackers-gateway-to-internal-networks-250319-&utm_term=&s_category=Organic&s_source=Social%20Media&s_origin=social

#appsec #security #vulnerability

🌪️ TyphoonPWN is back for its 7th year at TyphoonCon! 💻💰
This year, we’re offering up to $70,000 for discovering and exploiting Linux Privilege Escalation vulnerabilities.
Remote participation is allowed, so grab your gear, sharpen your knowledge, and sign up: https://typhooncon.com/typhoonpwn-2025/

@greg ccls.nvim worked best so far, but now I'm wrestling with Emacs where I expected components like the tree buffers to be better integrated. Now I'm stuck because the keys for file manipulation don't seem to work if the tree displays code elements :P

@hajovonta Yeah, I got into this because I want static tooling :/

@greg Maybe disqualifying coc because of node was a mistake on my end...

@hajovonta Apparently people did the implementation, but documentation is seriously lacking. Unfortunately I don't feel I have the experience to contribute, otherwise I'd just open PR's like crazy.

Do you happen to have a solution for Emacs to generate call hierarchies (func1--calls-->func2) without LSP?

In case anyone is wondering why people use VSCode: I spent most of the day configuring LSP's for graybeard editors (vim/emacs) and God my head hurts!

[RSS] Advisory X41-2025-001: Multiple Vulnerabilities in OpenSlides

https://x41-dsec.de/lab/advisories/x41-2025-001-OpenSlides/

How is that Sourcetrail development was not picked up by anyone?

https://github.com/CoatiSoftware/Sourcetrail

Useful piece. Solar panels are largely cloud managed, and now in The Netherlands alone create the same power as 50 of our nuclear power plants. If you switch this 25GW on/off remotely, the consequences could be huge. And we do not regulate these cloud platforms at all: https://www.dw.com/en/how-hackers-capture-your-solar-panels-and-cause-grid-havoc/a-71593448

It seems that our Veeam CVE-2025-23120 post is live.

I would never do this research without @SinSinology He insisted a lot, thx man. 😅

If you know CVE-2024-40711, this vuln can be patch-diffed and exploit armed in 5 minutes. Unfortunately, it's super simple at this point.

https://labs.watchtowr.com/by-executive-order-we-are-banning-blacklists-domain-level-rce-in-veeam-backup-replication-cve-2025-23120/

[RSS] You can't simulate keyboard input with PostMessage, revisited

https://devblogs.microsoft.com/oldnewthing/20250319-00/?p=110979

Love the prank call example :D

Our first video from RE//verse 2025 is live! Part journey of personal discovery, part technical deep-dive, this presentation from Markus Gaasedelen was the highest rated in the feedback survey and is a must-see talk: https://youtu.be/hGlIkgmhZvc

My writeup for the KalmarCTF challenge "no sqli" is out, covering the exploitation of CVE-2024-6382, an integer overflow in the Rust's MongoDB library. A very interesting challenge, enjoy! :)

https://worty.fr/post/writeups/kalmarctf2025/

Robert De Niro on a Netflix show (Zero Day) mentioning the O.MG Cable! 😎

Shoutout to whoever did the text, you got the silent punctuation perfectly.

@mcc every Spring developer answering any question:

"you just add these 3 lines of code"

WHERE?!

Perfectly reasonable reaction 🤣

There’s been a lot written about the Walkman over the years, but no one has really focused on the first ten years to show how its early evolution took shape. Here’s a sneak peek of how the article is coming together. I can’t wait for you all to check it out in Issue 2! Download Issue 1 in PDF for FREE! https://www.patreon.com/posts/get-first-issue-123662381