Bold Statements
Imagine the following: You visit a webpage with a lot of text you don’t want to read and ask your AI assistant for a summary. A few moments later, the AI assistant has extracted one of your emails and sent it to an attacker without you ever knowing.
In October 2025, we found exactly this vulnerability in Firefox’s AI chatbot integration1.
Continue reading “Vulnerability Disclosure: Stealing Emails via Firefox’s AI Features”
Continue readingDuring a penetration test for a customer, we identified a command injection vulnerability in Geutebrück security cameras that allows authenticated attackers to execute arbitrary commands as root through the web interface. The root cause is unsanitized user input being passed into a sed script (and at least 12 other CGI endpoints). In addition to the injection, we identified an XSS vulnerability, an exposed system menu leaking configuration and log data, and an insecure GET-parameter-to-environment-variable mapping that enables abuse of variables like LD_PRELOAD and LD_DEBUG. We reported the findings to Geutebrück and a patched firmware was provided. This post walks through how we got from a sed error message to a root shell.
Continue reading “Disclosure: Command Injection in Geutebrück Cameras”
Continue readingDuring a customer project, we identified privilege escalation vulnerabilities in Broadcom VMware Aria Operations. It is possible to escalate the privileges of an administrative vCenter user to an Aria administrator and take over systems integrated in Aria. Meaning, the vCenter user can gain privileged access to systems they have no access to. While both users might sound similarly privileged, this is not true in most environments – especially not in complex corporate environments: An insignificant vCenter user in a development environment can take over all other vCenters in a complex corporate environment.
The issue is exploitable in Aria’s default configuration. While the user is not an administrator, Aria maps the vCenter users to the PowerUser role, which is a privileged role in Aria and can be used to escalate its privileges to administrative users of other vCenters and connected VMware components.
Broadcom assigned CVE-2025-41245 and CVE-2026-22721 to the vulnerabilities and fixed the issue with VMSA-2025-0015 and VMSA-2026-0001.
In this blog post, we provide a brief background on VMware Aria Operations and vCenters, show what we found, and how we exploited this vulnerability in multiple ways to escalate privileges! Later, we talk about the disclosure process and Broadcom’s mitigation of the issue.
Continue readingDuring a customer project we identified an issue with the validation of JWT tokens that allowed us to bypass the authentication by using unsigned tokens with arbitrary payloads. During analysis we found out that this is caused by a vulnerability within the library OpenID Connect Authenticator for Tomcat.
Continue readingWith the rise of AI assistance features in an increasing number of products, we have begun to focus some of our research efforts on refining our internal detection and testing guidelines for LLMs by taking a brief look at the new AI integrations we discover.
Alongside the rise of applications with LLM integrations, an increasing number of customers come to ERNW to specifically assess AI applications. Our colleagues Florian Grunow and Hannes Mohr analyzed the novel attack vectors that emerged and presented the results at TROOPERS24 already.
In this blog post, written by my colleague Malte Heinzelmann and me, Florian Port, we will examine multiple interesting exploit chains that we identified in an exemplary application, highlighting the risks resulting from the combination of sensitive data exposure and excessive agency. The target application is an AI email client, which adds a ChatGPT-like assistant to your Google Mail account.
Ultimately, we discovered a prompt injection payload that can be concealed within HTML emails, which is still interpreted by the model even if the user does not directly interact with the malicious email.
Continue reading “Vulnerability Disclosure: Stealing Emails via Prompt Injections”
Continue readingImportant note: Some media coverage on this topic falsely or inaccurately depicts the attack conditions. To be clear: Any vulnerable device can be compromised if the attacker is in Bluetooth range. That is the only precondition.
During our research on Bluetooth headphones and earbuds, we identified several vulnerabilities in devices that incorporate Airoha Systems on a Chip (SoCs). In this blog post, we briefly want to describe the vulnerabilities, point out their impact and provide some context to currently running patch delivery processes as described at this year’s TROOPERS Conference.
Continue reading “Security Advisory: Airoha-based Bluetooth Headphones and Earbuds”
Continue readingThe X11 Window System has been used since September 1987 for Unix desktop systems, allowing applications to display their windows. Today, one of the server implementations of the protocol is the X.Org X server and XWayland, which both use the same codebase. While reviewing the X server, several legacy security issues were identified. These appear to originate from earlier design stages when security considerations were less prominent. Despite the project’s maturity and widespread use, some of these issues have persisted.
Continue readingIn a recent customer project, we discovered vulnerabilities in Microsoft Bookings, an online appointment scheduling tool integrated into Microsoft 365, allowing companies to have customers book meetings in available times themselves. The findings originate from insufficient input validation on the public meeting scheduling endpoint. Although Microsoft has largely mitigated this vulnerability, our analysis provides important insights into potential risks and areas for improvement.
Continue reading “Disclosure: Input Validation Vulnerabilities in Microsoft Bookings”
Continue readingDuring a red-teaming-style customer project, we managed to get access to an Rundeck API token. Rundeck is a job scheduler and runbook automation platform designed to automate routine IT tasks across multiple systems. At first, we were excited about this API token because if we could create new Rundeck jobs, we could execute arbitrary code on the Rundeck nodes and move laterally from there. However, it turned out that with this token we only had permissions to run existing jobs.
Continue reading “Full Disclosure: Multiple Rundeck Job Command Injections”
Continue readingWe discovered a private key for accessing an IBM Hardware Management Console (HMC) during a recent red team engagement. The IBM Hardware Management Console (HMC) is a dedicated management system used to control and manage IBM servers, especially those running on Power Systems (like IBM Power9/Power10) and mainframes (z Systems). After brief research, we identified two security vulnerabilities that can be leveraged to gain root access to the HMC.
Continue reading