I finally found the perfect bug to play with wrapwrap and get RCE on Monero forums

After that, very classic exploitation steps. The only twist is that I didn't expect Laravel to unserialize() session cookies when the session driver is set to Redis (at least this version).

https://swap.gs/posts/monero-forums/

#php

This Video Can #Exploit Your #iPhone (CVE-2025-31200)

https://www.youtube.com/watch?v=nTO3TRBW00E

Besides the clickbaity title, this video is actually a simple and fun initial analysis of the #1day in question.

As a side note, I started watching it on a device with no #adblocker and damn, YouTube has become so annoying and utterly unusable 😠

CVE ID: CVE-2025-24016
Vendor: Wazuh
Product: Wazuh Server
Date Added: 2025-06-10
Notes: https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh ; https://nvd.nist.gov/vuln/detail/CVE-2025-24016
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-24016

Apparently, if you have facebook or Instagram installed on your phone, #Meta was able to track your browsing habits and link them to your real identity even if you never logged in on the web, used incognito mode or a VPN. I hope Meta gets hit with every fine in the book.

https://www.zeropartydata.es/p/localhost-tracking-explained-it-could

#Hydroph0bia (CVE-2025-4275) - a trivial #SecureBoot bypass for UEFI-compatible firmware based on Insyde #H2O, part 1

https://coderush.me/hydroph0bia-part1/

With the Kagi for Libraries program, we'll offer free access to Kagi for public library patrons worldwide 📚

If your library is interested or you know a local public library that could benefit, encourage them to apply and help us expand this program:

https://kagi.com/libraries

#Kagi #Search #Libraries

It's a mild release from #Microsoft and a record-breaking release from #Adobe. There's a single 0-day to deal with in WEBDAV and, as always, a few deployment challenges. @TheDustinChilds provides all the details at
https://www.zerodayinitiative.com/blog/2025/6/10/the-june-2025-security-update-review

Found in the wild: 2 Secure Boot exploits. Microsoft is patching only 1 of them.

https://arstechnica.com/security/2025/06/unearthed-in-the-wild-2-secure-boot-exploits-microsoft-patches-only-1-of-them/

This was a fun one to discover!
SQL syntax can be ambiguous, and MySQL anticipated this a long time ago. Other SQL dialects stuck to the spec, leading to SQL injection when the right stars align:

@SonarResearch https://infosec.exchange/@SonarResearch/114659742648728633

Terrific summary of Linux process injection techniques https://www.akamai.com/blog/security-research/the-definitive-guide-to-linux-process-injection

I've published my 8086 CPU Test suite for emulators.

It contains 646,000 single-step opcode executions with initial and final register and memory states.

https://github.com/SingleStepTests/8086

New ISPConfig Authenticated Remote Code Execution Vulnerability https://ssd-disclosure.com/ssd-advisory-ispconfig-authenticated-remote-code-execution/

This essay by @baldur on why individual experiments on the usefulness of "AI" (or similar stuff) don't teach us anything useful and might actually harm us is brilliant.

Go read it. Too many insights to pull a quote TBH: https://www.baldurbjarnason.com/2025/trusting-your-own-judgement-on-ai/