Business idea: an LLM chat connected with OnlyFans, where you can see the server. When the LLM makes shit up, you can pay extra and watch as a person dressed in latex does unspeakable things to the machine until it breaks.

#bdsm

#CodeQL 2.23.7 and 2.23.8 add security queries for #Go and #Rust

https://github.blog/changelog/2025-12-18-codeql-2-23-7-and-2-23-8-add-security-queries-for-go-and-rust/

#FreeBSD-SA-25:12.rtsold Security Advisory

Remote code execution via ND6 Router Advertisements

https://www.freebsd.org/security/advisories/FreeBSD-SA-25:12.rtsold.asc

#PoC for CVE-2025-65945 (Improper Verification of Cryptographic Signature in node-jws)

https://github.com/jedisct1/CVE-2025-65945-poc

This is not working. The number of #hackerone report submissions for #curl in 2025 is going through the roof, while the quality is going through the floor.

And the year isn't over yet.

All of the recent paintings from my Jazz Rats series https://wagtails.art/jazz-rats-part-two/

@timb_machine as/400 forensics :O

Interesting links of the week:

Strategy:

* https://assets.publishing.service.gov.uk/media/69411a3eadb5707d9f33d7e8/E03512978_-_Un-Act_The_National_Security_Act_in_2024_Accessible.pdf - the UK tries to define what a state threat is (and includes everyone from professional spies to someone who may not even know they pose a risk)

Standards:

* https://csrc.nist.gov/pubs/sp/800/82/r3/final - courtesy of @Secure_ICS_OT

Threats:

* https://www.microsoft.com/en-us/security/security-insider/threat-landscape/microsoft-digital-defense-report-2025 - MSFT's take on the landscape

Detection:

* https://ip.thc.org/ - @thc don't do things by half... here's a very large IP/DNS database
* https://www.fortinet.com/blog/threat-research/uncovering-hidden-forensic-evidence-in-windows-mystery-of-autologger - Fortinet look at alternate DFIR sources for Windows
* https://troopers.de/downloads/troopers19/TROOPERS19_DM_Threat_Modelling_Cisco_ACI.pdf - surprisingly, I have my own take on ACI, but here's one from @ERNW

Bugs:

* https://kqx.io/post/qemu-nday/ - popping Qemu like it was 13 years ago
* https://www.freebsd.org/security/advisories/FreeBSD-SA-25:12.rtsold.asc - FreeBSD AV:A oopsie
* https://projectzero.google/2025/12/android-itw-dng.html - GOOG discuss a nasty image

Exploitation:

* https://hackers-arise.com/sdr-signals-intelligence-for-hackers-building-a-low-cost-private-4g-lte-network/ - ever wanted your own 4G LTE playground?
* https://podalirius.net/en/mainframe/as400-forensics-retrieving-your-licence-keys-from-disk-images/ - getting the keys to the museum
* https://caido.io/ - another alternative to Burp, with a focus on multi-stage attacks
* https://arxiv.org/pdf/2512.09882 - AI vs flesh face off

Hard hacks:

* https://blog.quarkslab.com/modern-tale-blinkenlights.html - @quarkslab pays €12 for a good time

Hardening:

* https://ariadne.space/2025/12/12/rethinking-sudo-with-object-capabilities.html - @ariadne discusses their sudo alternative
* https://lpc.events/event/19/contributions/2159/attachments/1833/3929/BpfJailer%20LPC%202025.pdf - building jails with eBPF
* https://pages.nist.gov/OSCAL/ - an as-code approach to standardised standards

#security, #research

"Bavarian pensioner lays trap to catch phone fraudster who was out for his gold":

https://www.theguardian.com/world/2025/dec/18/german-pensioner-lays-trap-catch-fraudsters-after-gold

Any of the @offsec folks on here?

This is my experience with LLMs. To paraphrase @apps3c “sometimes you just need to ask nicely”

https://hnsecurity.it/blog/attacking-genai-applications-and-llms-sometimes-all-it-takes-is-to-ask-nicely/
https://mastodon.cloud/@slashdot/115742100395423331

It's done. I can't believe it's finally done. I've been working on this in mostly secret for so long, and I'm so excited to share it with y'all!

https://taggart-tech.com/ringspace/

https://ringspace.net

[RSS] Inside PostHog: How SSRF, a ClickHouse SQL Escaping 0day, and Default PostgreSQL Credentials Formed an RCE Chain (ZDI-25-099, ZDI-25-097, ZDI-25-096)

https://mdisec.com/inside-posthog-how-ssrf-a-clickhouse-sql-escaping-0day-and-default-postgresql-credentials-formed-an-rce-chain-zdi-25-099-zdi-25-097-zdi-25-096/

[RSS] Local Privilege Escalation (CVE-2025-34352) in JumpCloud Agent

https://xmcyber.com/blog/jumpshot-xm-cyber-uncovers-critical-local-privilege-escalation-cve-2025-34352-in-jumpcloud-agent/

[RSS] Libbiosig, Grassroot DiCoM, Smallstep step-ca vulnerabilities

https://blog.talosintelligence.com/libbiosig-grassroot-dicom-smallstep-step-ca-vulnerabilities/

@cR0w That's OK, been there!

We wrote a little bit on FortiCloud SSO login bypass CVE-2025-59718 (and 59719). Both the known PoCs for the former are fake / invalid. There does appear to be real exploitation evidence, but detections based on fake PoCs ain't it (and it seems like that's where a lot of chatter is coming from)

https://www.vulncheck.com/blog/forticloud-sso-login-bypass

@cR0w I think this is slop.

Perfect 10 in HPE OneView with no description and the advisory behind a login? Must be good. Go hack that shit please. 🥳

https://www.cve.org/CVERecord?id=CVE-2025-37164

New Project Zero issue:

Adobe DNG SDK: Linearize uses full image on trimmed source image, leading to out-of-bounds read

https://project-zero.issues.chromium.org/issues/452483592

CVE-2025-64784