@stephenfewer.bsky.social
Senior Principal Security Researcher at @rapid7.com. Specializing in software vulnerabilities and exploitation. stephenfewer.github.io
As Pwn2Own Ireland 2025 draws to a close, a huge thank you to @thezdi.bsky.social for putting on another great contest! I reflected on why @rapid7.com has taken part at #Pwn2Own over the last two years, and our successes so far in the world of competitive zero day exploit development r-7.co/4o6RM85
24.10.2025 16:51 β π 1 π 2 π¬ 0 π 0The auth bypass appears to be a patch bypass of an older 2018 vuln (CVE-2018-0296). The buffer overflow is in a Lua endpoint, but unsafe native code operations allow a buffer to be overflowed and memory corruption to occur.
06.10.2025 08:39 β π 0 π 0 π¬ 0 π 0
We just posted our AttackerKB @rapid7.com Analysis for the recent Cisco 0day chain; CVE-2025-20362 and CVE-2025-20333. Full technical root cause analysis of both the auth bypass and buffer overflow are here: attackerkb.com/topics/Szq5u...
06.10.2025 08:38 β π 2 π 1 π¬ 1 π 0and shout out to @iagox86.bsky.social who figured out the access control bypass part of this back in his 2023 analysis of the CVE-2023-0069 patch π₯
24.09.2025 13:35 β π 3 π 1 π¬ 1 π 0
We have published our AttackerKB @rapid7.com Analysis for the recent GoAnywhere MFT vuln, CVE-2025-10035. It's an access control bypass + unsafe deserialization + an as-yet unknown issue in how an attacker can know a specific private key! attackerkb.com/topics/LbA9A...
24.09.2025 13:33 β π 5 π 2 π¬ 1 π 0β οΈ Rapid7 has identified a permission bypass vuln. in multiple versions of #OnePlus OxygenOS installed on its Android smartphones.
When leveraged, any app on the device may read SMS/MMS data & metadata via the default Telephony provider. More in our blog: r-7.co/42EujlR
Come join @rapid7.com ! Iβm hiring for a Senior Security Researcher to join our team. You'll get to work on n-day analysis, zero-day research, exploit development, and more - focusing on enterprise software and appliances. Fully remote in the UK, more details here: careers.rapid7.com/jobs/senior-...
25.08.2025 16:57 β π 3 π 0 π¬ 0 π 0I just completed the reimplementation of the in-the-wild gadget to use the Msf::Util::DotNetDeserialization routines, so that part is much cleaner now, no more sketchy blobs of base64 π
23.07.2025 17:06 β π 1 π 0 π¬ 0 π 0
We now have a (draft) @metasploit-r7.bsky.social exploit module in the pull queue for the recent Microsoft SharePoint Server unauthenticated RCE zero-day (CVE-2025-53770), based on the in-the-wild exploit published a few days ago. Check it out here: github.com/rapid7/metas...
23.07.2025 13:18 β π 11 π 8 π¬ 1 π 0
Our @metasploit-r7.bsky.social auxiliary module for the new Brother auth bypass is available. The module will leak a serial number via HTTP/HTTPS/IPP (CVE-2024-51977), SNMP, or PJL, generate the devices default admin password (CVE-2024-51978), and then validate the creds: github.com/rapid7/metas...
25.06.2025 08:54 β π 5 π 1 π¬ 0 π 0Today @rapid7.com is disclosing 8 new vulnerabilities affecting 742 models across 4 vendors. After 13 months of coordinated disclosure with Brother Industries, Ltd, we're detailing all issues including a critical auth bypass. Full details here: www.rapid7.com/blog/post/mu...
25.06.2025 08:44 β π 3 π 2 π¬ 0 π 1Today @rapid7.com disclosed two vulns affecting NetScaler Console and SDX, found by Senior Security Researcher Calum Hutton! π Our blog details the authenticated arbitrary file read vuln (CVE-2025-4365), and the authenticated arbitrary file write vuln (Which the vendor has not assigned a CVE for).
18.06.2025 20:02 β π 3 π 2 π¬ 0 π 0
A new @rapid7.com Analysis of CVE-2024-58136 was just published to AttackerKB, courtesy of Calum Hutton π₯ Affecting the Yii framework, this analysis details the root cause of CVE-2024-58136, and how it can be leveraged for RCE via a dirty file write to a log file. attackerkb.com/topics/U2Ddo...
27.05.2025 10:38 β π 2 π 0 π¬ 0 π 0
This was an interesting challenge to go from a restricted character set "0123456789." for the overflow, to arbitrary RCE. Hat tip to watchTowr for diffing out the bug last Friday. PoC available here: github.com/sfewer-r7/CV...
10.04.2025 18:20 β π 1 π 0 π¬ 0 π 0
We have just published our AttackerKB @rapid7.com Analysis of CVE-2025-22457, an unauthenticated stack based buffer overflow in Ivanti Connect Secure. Difficult to exploit due to severe character restrictions, we detail our full RCE technique here: attackerkb.com/topics/0ybGQ...
10.04.2025 18:19 β π 3 π 4 π¬ 1 π 0A VM escape exploit chain, exploited in the wild as 0day ...well that's not something we see very often π
07.03.2025 09:12 β π 11 π 4 π¬ 0 π 0
Root cause analysis of Sitecore XM + XP remote code execution CVE-2025-27218 via @rapid7.com's pen testing team attackerkb.com/assessments/...
05.03.2025 23:05 β π 8 π 5 π¬ 0 π 0
Our @metasploit-r7.bsky.social exploit module for unauthenticated RCE against BeyondTrust Privileged Remote Access & Remote Support is now available. The exploit can either leverage CVE-2024-12356 and CVE-2025-1094 together, or solely leverage CVE-2025-1094 for RCE: github.com/rapid7/metas...
13.02.2025 16:05 β π 1 π 1 π¬ 0 π 0We are also publishing our AttackerKB Rapid7 analysis for CVE-2024-12356 - Unauth RCE affecting BeyondTrust PRA & RS, which was exploited in the wild last Dec as 0day ...our analysis details leveraging the new PostgreSQL vuln CVE-2025-1094 for RCE! π attackerkb.com/topics/G5s8Z...
13.02.2025 16:05 β π 1 π 2 π¬ 1 π 0
Today Rapid7 has disclosed CVE-2025-1094, a new PostgreSQL SQLi vuln we discovered while researching CVE-2024-12356 in BeyondTrust Remote Support. Untrusted inputs that have been safely character escaped could still generate SQLi under certain conditions: www.rapid7.com/blog/post/20...
13.02.2025 16:05 β π 2 π 4 π¬ 1 π 0
Process injection shenanigans are dear to my heart - it's one of the first things I ever learned in security.
Inspired by an Akamai blog last month, this blog digs into techniques to tinker with other processes on Linux, and show you how to write a little debugger in C!
Root cause analysis of #SonicWall SSL VPN auth bypass CVE-2024-53704 available now c/o Ryan Emmons: attackerkb.com/topics/UB3P3...
28.01.2025 16:30 β π 6 π 4 π¬ 0 π 0100% this!! They're amazing π
23.01.2025 07:52 β π 2 π 0 π¬ 1 π 0
PoC for CVE-2025-0282 targeting 22.7r2.4 can be found here: github.com/sfewer-r7/CV...
16.01.2025 15:52 β π 2 π 1 π¬ 0 π 0Without a suitable info leak you have to brute force the 32bit base address of a shared library, and with 9 bits of entropy this can take upwards of 1.5 hours, although in practice it can be much quicker. Regardless of the time it takes to succeed, exploitation is reliable.
16.01.2025 15:52 β π 2 π 0 π¬ 1 π 0
I wrote a PoC for the recent Ivanti Connect Secure stack buffer overflow, CVE-2025-0282, based on the exploitation strategy watchTowr published, along with an assessment of exploitability given the lack of a suitable info leak to break ASLR: attackerkb.com/assessments/...
16.01.2025 15:52 β π 11 π 8 π¬ 1 π 0
I'm #hiring a vulnerability research manager in Dublin, IE (or Prague CZ, Belfast NI, or Reading UK) to help lead our zero-day vulnerability research and disclosure function. Love vulns, exploits, and CVD? Hit us up! careers.rapid7.com/jobs/manager...
07.01.2025 17:58 β π 9 π 10 π¬ 0 π 1
We now have a @metasploit-r7.bsky.social RCE exploit module in the pull queue for CVE-2024-55956 - an unauthenticated file write vulnerability affecting Cleo LexiCom, VLTrader, and Harmony which was exploited in the wild last month as 0day: github.com/rapid7/metas...
07.01.2025 20:55 β π 2 π 1 π¬ 0 π 0
[1/n] I want to kick off my profile here a little bit, thus I'll post several fun projects that I've made last year.
Let's kick off with SharePoint XXE blog, which could be abused due to URL parsing confusion between SharePoint and .NET components:
www.zerodayinitiative.com/blog/2024/5/...
Last month, our Security Research team discovered and disclosed a critical pre-authentication RCE in CraftCMS (CVE-2024-56145). You can read our blog post on the issue here: assetnote.io/resources/re...
#attacksurfacemanagement
