@swapgs I don't follow, could you point to specific parts of the repo/give an example?

Currently available Go fuzzing tools were missing critical features - some don’t play well with the latest Go toolchain. So we set out to change that.

@bruno, Nils Ollrogge, and colleagues explored more powerful ways to fuzz Go binaries. By tapping into Go’s native instrumentation — which is compatible with libFuzzer — we enabled effective fuzzing of Go code using LibAFL.

We’ve documented our approach and shared insights in our latest blog post: https://www.srlabs.de/blog-post/golibafl---fuzzing-go-binaries-using-libafl

Repo: https://github.com/srlabs/golibafl

Micropatches Released for NTLM Hash Disclosure Spoofing Vulnerability (CVE-2025-24054)

The Ivantis, Solarwinds and Fortinets right now.

#cve #mitre #infosec

Just a reminder: Vulnerability Lookup isn’t just about finding CVEs. It supports the full chain, collection from multiple sources, continuous distribution, and allocation within a coordinated vulnerability disclosure (CVD) process. 100% open source.

🔗 An online version maintained by @circl https://vulnerability.circl.lu/

🔗 https://www.vulnerability-lookup.org/

🔗 https://github.com/vulnerability-lookup/vulnerability-lookup

#opensource #cve #vulnerability #cna #cvd #cybersecurity

So it's official: TLS certificate lifetimes will reduce from the current max of 398 days to:
* 200 days in March 2026
* 100 days in March 2027
* 47 days in March 2029

For web servers/proxies etc. it's reasonably simple, at least for smaller orgs but for e.g. network kit it might be more of a challenge. Having a timeframe to aim at definitely focusses the mind!

Via @riskybiz / https://risky.biz/risky-bulletin-ca-b-forum-approves-47-day-tls-certs/

#TLS #PKI #InfoSec #WebDev

And all of the sudden, we have solved supply chain security.

No CVE, no vulnerabilities!

I've been wondering for a long time if #DirectoryTraversal vulnerabilities could be mitigated by a safe path handling library (similarly to e.g. ORM's). As a side-quest, I stared to implement a prototype for Python, and I'm super interested in your unfiltered opinions:

https://github.com/v-p-b/SafePath/

Looks like the US Government are going to lose control of CVE. https://www.thecvefoundation.org/

[RSS] CVE-2025-21299: Unguarding Microsoft Credential Guard

https://www.netspi.com/blog/technical-blog/adversary-simulation/cve-2025-21299-cve-2025-29809-unguarding-microsoft-credential-guard/

[RSS] Microsoft Windows dxkrnl Untrusted Pointer Dereference Local Privilege Escalation Vulnerability | HackSys Inc

https://hacksys.io/advisories/HI-2025-001

CVE-2025-29812

Up-to-date documentation for #Ghidra 11.3.2 now available at:

https://scrapco.de/ghidra_docs/

Documentation changes:

https://gist.github.com/v-p-b/976f67dda1f5281c31c8e65579d309b8

Hackers, educators, tinkerers:
The 2025 Hacker Initiative grant cycle is open. We're funding individuals and groups who are:
🔹 Advancing hacker culture
🔹 Promoting digital rights
🔹 Educating the public

If you're building tools, sharing knowledge, or shaking things up apply here 👉 https://hackerinitiative.org/apply-now/

Signal boost appreciated.

A quick reminder that discounted registration rates for for the #LangSec workshop end tomorrow, April 14, at 11:59 pm PDT, and the conference hotel block rates end shortly after. Details at https://langsec.org/spw25/important-dates.html
We hope to see you all in San Francisco on May 15, 2025!

Recon CFP ends in less than 2 weeks on April 28. Prices for the training and conference increase on May 1st. Register now to save with early bird price. We have already announced a few talks and workshops, and more videos from last year have been released. https://recon.cx/ #reverseengineering #cybersecurity #offensivesecurity #hardwarehacking @hackingump1 @mr_phrazer @nicolodev @sinsinology @hunterbr72 @clearbluejar @phlaul @oryair1999 @hookgab @thequeenofelf @so11deo6loria @i0n1c @pedrib1337 @malachijonesphd @pat_ventuzelo @kb_intel @pinkflawd @reverse_tactics @onlytheduck @t0nvi @drch40s @brunopujos @mhoste1 @andreyknvl @texplained_re @jsmnsr @pulsoid @specterdev @richinseattle @yarden_shafir @aionescu @hackerschoice @sinsinology @sergeybratus @specterops @oryair1999 @phlaul @trailofbits @hexrayssa @nostarch @hexnomad @netspooky

#CVE-2025-21419 2025-Feb Windows Setup Files Cleanup Windows Setup Files Cleanup Elevation of Privilege

#ghidriff uncovering arbitrary delete vulnerabilities 👀 🔍

Patch introduced new function DeleteFileEx_MSRC. Not your typical function name... 🧐

A patch diffing 🧵...

#Ghidra 11.3.2 released:

https://github.com/NationalSecurityAgency/ghidra/releases/tag/Ghidra_11.3.2_build

Change history:

https://github.com/NationalSecurityAgency/ghidra/blob/Ghidra_11.3.2_build/Ghidra/Configurations/Public_Release/src/global/docs/ChangeHistory.md

Regardless of what happens with CVE/NVD, the PSF will continue publishing advisories for CPython through our OSV database and to the security-announce@python.org mailing list.

Please subscribe to those data sources to guarantee delivery of vulnerability data about CPython.

https://github.com/psf/advisory-database

On the bright side NLRB did what most orgs should: monitor spikes in egress traffic.

Must-read report from NPR, showing once again that DOGE is a massive threat to the cyber/national security of the United States:

"In the first days of March, a team of advisers from President Trump's new Department of Government Efficiency initiative arrived at the Southeast Washington, D.C., headquarters of the National Labor Relations Board.

The small, independent federal agency investigates and adjudicates complaints about unfair labor practices. It stores reams of potentially sensitive data, from confidential information about employees who want to form unions to proprietary business information.

The DOGE employees, who are effectively led by White House adviser and billionaire tech CEO Elon Musk, appeared to have their sights set on accessing the NLRB's internal systems. They've said their unit's overall mission is to review agency data for compliance with the new administration's policies and to cut costs and maximize efficiency."

"But according to an official whistleblower disclosure shared with Congress and other federal overseers that was obtained by NPR, subsequent interviews with the whistleblower and records of internal communications, technical staff members were alarmed about what DOGE engineers did when they were granted access, particularly when those staffers noticed a spike in data leaving the agency. It's possible that the data included sensitive information on unions, ongoing legal cases and corporate secrets — data that four labor law experts tell NPR should almost never leave the NLRB and that has nothing to do with making the government more efficient or cutting spending."

"Meanwhile, according to the disclosure and records of internal communications, members of the DOGE team asked that their activities not be logged on the system and then appeared to try to cover their tracks behind them, turning off monitoring tools and manually deleting records of their access — evasive behavior that several cybersecurity experts interviewed by NPR compared to what criminal or state-sponsored hackers might do."

"The employees grew concerned that the NLRB's confidential data could be exposed, particularly after they started detecting suspicious log-in attempts from an IP address in Russia, according to the disclosure. Eventually, the disclosure continued, the IT department launched a formal review of what it deemed a serious, ongoing security breach or potentially illegal removal of personally identifiable information. The whistleblower believes that the suspicious activity warrants further investigation by agencies with more resources, like the Cybersecurity and Infrastructure Security Agency or the FBI."

https://www.npr.org/2025/04/15/nx-s1-5355896/doge-nlrb-elon-musk-spacex-security