Insinuator.net – Bold Statements

October 20, 2025 by Enno Rey

MCTTP 2025 / Keynote

Three weeks ago, I attended MCTTP 2025 in Munich, organized by Vogel IT and curated by the fine folks Florian Hansemann, Dr. Marc Maisch, and Florian Oelmaier. Awesome event with some very cool talks, and great conversations over dinner and most notably at the Oktoberfest on Saturday (thanks again for that special trip, Flo!). I had the pleasure and honor to give the keynote on the 2nd day. The goal was to make it a bit entertaining and enlightening for the international audience, so I covered some German literature, too ;-). The slides can be found here, and the transcript here. Looking forward to meeting some folks again next year, maybe even at TROOPERS26 😉

Cheers!
Enno

Continue reading “MCTTP 2025 / Keynote”

Breaking

October 2, 2025 by Baptiste David

Release of ERNW White Paper 73: Analyzing WinpMem Driver Vulnerabilities

Today we are releasing a new white paper that delivers a technical analysis of security weaknesses discovered in WinpMem, an open-source Windows memory acquisition driver widely used in digital forensics.

Continue reading “Release of ERNW White Paper 73: Analyzing WinpMem Driver Vulnerabilities”

Breaking

September 8, 2025 by Nils Emmerich

Disclosure: Authentication Bypass in VERTIV Avocent AutoView (Version 2.10.0.0.4736)

The VERTIV Avocent AutoView switches are analog keyboard, video, and mouse (KVM) switches used in data center servers. They also expose a web server in the network, which allows for some configuration.

During a penetration test for a customer, a device of this type was identified in the infrastructure and analyzed, revealing an authentication bypass in the web application.

Continue reading “Disclosure: Authentication Bypass in VERTIV Avocent AutoView (Version 2.10.0.0.4736)”

Breaking

September 2, 2025 by Florian Port

Vulnerability Disclosure: Stealing Emails via Prompt Injections

With the rise of AI assistance features in an increasing number of products, we have begun to focus some of our research efforts on refining our internal detection and testing guidelines for LLMs by taking a brief look at the new AI integrations we discover.

Alongside the rise of applications with LLM integrations, an increasing number of customers come to ERNW to specifically assess AI applications. Our colleagues Florian Grunow and Hannes Mohr analyzed the novel attack vectors that emerged and presented the results at TROOPERS24 already.

In this blog post, written by my colleague Malte Heinzelmann and me, Florian Port, we will examine multiple interesting exploit chains that we identified in an exemplary application, highlighting the risks resulting from the combination of sensitive data exposure and excessive agency. The target application is an AI email client, which adds a ChatGPT-like assistant to your Google Mail account.

Ultimately, we discovered a prompt injection payload that can be concealed within HTML emails, which is still interpreted by the model even if the user does not directly interact with the malicious email.

Continue reading “Vulnerability Disclosure: Stealing Emails via Prompt Injections”

Breaking

August 29, 2025 by Tillmann Oßwald

Windows Hello for Business – Faceplant: Planting Biometric Templates

We are back from Black Hat USA, where we presented our research on Windows Hello for Business (Slides) once more. In the last two blog posts, we have discussed the architecture of WHfB and past attacks, as well as how the database works and how to swap identities in the database.

Continue reading “Windows Hello for Business – Faceplant: Planting Biometric Templates”

Events

August 14, 2025 by Enno Rey

#TROOPERS25 AD & Entra ID Security Track

The #TROOPERS25 ‘AD & Entra ID Security’ track was a blast – as was the whole conference 😉 – bringing together some of the smartest researchers in the field and a great audience of practitioners willing to share their experiences during the roundtable. The slides of the talks have been released in the interim on the TROOPERS website, but since many speakers published additional blogposts or released tools, we provide a compilation of resources from the track in the following.

See you folks next year at #TROOPERS26!

Continue reading “#TROOPERS25 AD & Entra ID Security Track”

Building

July 28, 2025 by Alexander Moch

Setting up Secure Boot on Gentoo Linux

The purpose of this blog post is to explain how Secure Boot works. In particular, we will explain where current implementations of Secure Boot by Linux distributors fall short compared to Microsoft Windows and Apple macOS.

Major distributors like Canonical, Debian, openSUSE, and Red Hat place a high priority on making their operating systems work out of the box. Given the current Linux landscape with out-of-tree drivers and incompatible licenses, providing the end user with all the drivers possibly needed to boot the system can be challenging.

In this post we will describe how to set up Secure Boot on Gentoo Linux. Gentoo Linux is sometimes described as a meta-distribution. It leaves many decisions up to its users—and with that, a fair amount of work. The upside is that users can decide exactly how to set up the boot chain without having to work “against” the distributor. For this reason, we chose Gentoo Linux to demonstrate the different ways to set up Secure Boot.

On a hardened system, Secure Boot should be deployed along with full disk encryption¹.

Continue reading “Setting up Secure Boot on Gentoo Linux”

Breaking

July 15, 2025 by Tillmann Oßwald

Windows Hello for Business – The Face Swap

In the last blog post, we discussed the full authentication flow using Windows Hello for Business (WHfB) with face recognition to authenticate against an Active Directory with Kerberos and showcased existing and new vulnerabilities. In this blog post, we dive into the architectural challenges WHfB faces and explore how we can exploit them.

Continue reading “Windows Hello for Business – The Face Swap”

Building

July 3, 2025 by Alexander Moch

Insecure Boot: Injecting initramfs from a debug shell

Many Linux hardening guides focus on well-known protections: full-disk encryption, Secure Boot, and password-protected bootloaders. While these measures are critical, they often overlook a subtle but serious attack vector: the ability to drop into a debug shell via the Initial RAM Filesystem (initramfs). This oversight can enable an attacker with brief physical access to bypass conventional boot protections and inject persistent malware into the system.

In this post, it is demonstrated how this attack works on modern Linux distributions, such as Ubuntu and Fedora, and explained why existing guidance often fails to mention it.

Continue reading “Insecure Boot: Injecting initramfs from a debug shell”

Breaking

June 26, 2025 by Dennis Heinze

Security Advisory: Airoha-based Bluetooth Headphones and Earbuds

Important note: Some media coverage on this topic falsely or inaccurately depicts the attack conditions. To be clear: Any vulnerable device can be compromised if the attacker is in Bluetooth range. That is the only precondition.

During our research on Bluetooth headphones and earbuds, we identified several vulnerabilities in devices that incorporate Airoha Systems on a Chip (SoCs). In this blog post, we briefly want to describe the vulnerabilities, point out their impact and provide some context to currently running patch delivery processes as described at this year’s TROOPERS Conference.

Continue reading “Security Advisory: Airoha-based Bluetooth Headphones and Earbuds”