Ethical hacking & pentesting blog

How our detection approach holds up as CVE enrichment changes

Find out how we keep results reliable through ecosystem data gaps such as the recent NIST update on NVD operations.

DotNetNuke: XSS to RCE (CVE-2026-40321)

DotNetNuke (DNN) might be a leading CMS in the Microsoft ecosystem, but a routine test on an older version accidentally led us straight to a brand-new 0-day. In this write-up, we escalate a simple Stored XSS vulnerability into a full Remote Code Execution (RCE) chain (CVE-2026-40321). Read the full article to see how we smuggled payloads inside SVG files, weaponized DNN's internal messaging to spear-phish admins, and seamlessly dropped an ASPX backdoor right into the server root

Throwing a spark into FuelCMS

FuelCMS v1.5.2 might be an older, largely unmaintained project, but its codebase is still highly combustible. In our latest research sprint, we uncovered seven new vulnerabilities lurking under the hood. Read the full article to see the raw HTTP requests, learn how we bypassed brute-force rate limits, and watch us turn simple template syntax into a full system compromise.

Year in review: from routine to results in 2025

Security teams had to cover more assets, respond to more CVEs, and explain more findings to more people than ever. And not just explain them - defend them. In front of clients. In front of auditors. In front of leadership that wants to know what actually changed since the last in-depth test.

A comprehensive deep dive into React2Shell (CVE-2025-55182)

React2Shell (CVE-2025-55182) is a CVSS 10.0, pre-auth remote code execution flaw in the React Server Components Flight protocol. This deep dive maps affected React and Next.js versions, explains the deterministic exploit chain, summarizes in-the-wild abuse, and lays out detection, mitigation, and validation steps you can apply in real environments.

How we built an exploit for SessionReaper, CVE-2025-54236 in Magento 2 & Adobe Commerce

Here's how we weaponized SessionReaper (CVE-2025-54236) against Magento 2, chaining ServiceInputProcessor quirks and a session proxy setter to forge customer sessions and hijack accounts. Our lab-tested PoC exposes attack surface, a possible preauth RCE, and an automated exploit - a practical walkthrough for researchers who like coffee strong and bugs reliable.

How web cache poisoning works and how to exploit it

Elevate your next pentest by exploiting web cache poisoning. This deep dive uncovers the RFC nuances, common misconfigurations, and unkeyed request components that transform low-severity injections into critical, widespread compromises. Learn practical detection, exploitation (with PoCs!), and advanced mitigation techniques to weaponize your findings.

What the experts say: Machine learning in offensive security

In this third installment, we stop talking and start listening. We asked seasoned offensive security professionals how they actually use machine learning in the field. Their verdict? ML works, when it’s focused. From spotting phishing entry points to flagging suspicious authentication patterns, the value is real. But it’s not magic. Used blindly, it adds noise. Used wisely, it accelerates analysts.

When severity scores mislead - the case against single-metric risk models

Are you still chasing high CVSS scores? Learn how multi-dimensional risk models reveal what attackers really target.

Beyond the hype: how we built a machine-learning classifier (and refused to call It AI)

How we cut web fuzzing FPs by 50% using Machine Learning

Beyond passive and active - a modern approach to network reconnaissance

This isn't your textbook recon. We're dissecting how modern network analysis blurs 'passive' and 'active,' offering a clearer path to target vulnerabilities.