CVE-2026-40369: Arbitrary Kernel Address Increment via NtQuerySystemInformation
Source & attribution. This post is an original English rewrite of “Arbitrary Kernel Address Increment via NtQuerySystemInformation (CVE-2026-40369)” by Ori Nimron (@orinimron123), published at pwn2nimron.com. The full exploit source lives at github.com/orinimron123/CVE-2026-40369-EXPLOIT. A shorter news-style coverage was also published by Daily CyberSecurity (securityonline.info). All IDA decompilations, the PoC source, the crash dump, the affected-versions table…
https://core-jmp.org/2026/05/cve-2026-40369-arbitrary-kernel-address-increment/
Source & attribution. This post is an original English rewrite of “Arbitrary Kernel Address Increment via NtQuerySystemInformation (CVE-2026-40369)” by Ori Nimron (@orinimron123), published at pwn2nimron.com. The full exploit source lives at github.com/orinimron123/CVE-2026-40369-EXPLOIT. A shorter news-style coverage was also published by Daily CyberSecurity (securityonline.info). All IDA decompilations, the PoC source, the crash dump, the affected-versions table…
https://core-jmp.org/2026/05/cve-2026-40369-arbitrary-kernel-address-increment/
👍10🔥4😱2
Вчера на Linux тусе (Security of the linux kernel) мы как раз коллективно обсуждали нечто похожее, от hardware backdoors до дыр в sim-card
Ну так вот:
Сайты научились следить за юзерами через задержки в работе SSD
—PDF—
Ну так вот:
Сайты научились следить за юзерами через задержки в работе SSD
—PDF—
👍15🔥11😱6
CVE-2026-20182: Unauthenticated vHub Bypass in the Cisco Catalyst SD-WAN Controller
Original text: “CVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller (FIXED)” — Jonah Burgess & Stephen Fewer, Rapid7 (May 14, 2026). Vendor advisory: cisco-sa-sdwan-rpa2-v69WY2SW. Code, tables and figures below are reproduced verbatim with attribution captions.
Executive Summary
CVE-2026-20182 is a critical (CVSS 10.0, CWE-287) authentication bypass in the Cisco Catalyst SD-WAN Controller — historically…
https://core-jmp.org/2026/05/cve-2026-20182-cisco-catalyst-sd-wan-vhub-auth-bypass/
Original text: “CVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller (FIXED)” — Jonah Burgess & Stephen Fewer, Rapid7 (May 14, 2026). Vendor advisory: cisco-sa-sdwan-rpa2-v69WY2SW. Code, tables and figures below are reproduced verbatim with attribution captions.
Executive Summary
CVE-2026-20182 is a critical (CVSS 10.0, CWE-287) authentication bypass in the Cisco Catalyst SD-WAN Controller — historically…
https://core-jmp.org/2026/05/cve-2026-20182-cisco-catalyst-sd-wan-vhub-auth-bypass/
👍4🔥1😱1
Reverse Engineering for Beginners: Defeating an XOR Crackme on Windows x64
Original text: “Reverse Engineering For Beginners – XOR encryption – Windows x64” — Chetan Nayak, Network Intelligence (July 29, 2025). The original tutorial was first published at scriptdotsh.com in May 2018 and the source code lives at paranoidninja/ScriptDotSh-Reverse-Engineering. Code, screenshots, register/value tables and worked XOR examples below are reproduced verbatim with attribution captions.
Executive Summary…
https://core-jmp.org/2026/05/reverse-engineering-xor-encryption-windows-x64-beginners/
Original text: “Reverse Engineering For Beginners – XOR encryption – Windows x64” — Chetan Nayak, Network Intelligence (July 29, 2025). The original tutorial was first published at scriptdotsh.com in May 2018 and the source code lives at paranoidninja/ScriptDotSh-Reverse-Engineering. Code, screenshots, register/value tables and worked XOR examples below are reproduced verbatim with attribution captions.
Executive Summary…
https://core-jmp.org/2026/05/reverse-engineering-xor-encryption-windows-x64-beginners/
👍5🔥3😱1
Visual Studio Extensions Revisited: Building, Publishing, and Hunting Malicious VSIXs
Original text: “Visual Studio Extensions Revisited” — MDSec Research (research by Dominic Chell), MDSec (28/05/2026). Code, tables and figures below are reproduced verbatim with attribution captions.
Executive Summary
Three years after their original work on VS Code extensions for red-team initial access, MDSec revisits the larger sibling — Visual Studio proper — and finds the…
https://core-jmp.org/2026/05/visual-studio-extensions-revisited-malicious-vsix/
Original text: “Visual Studio Extensions Revisited” — MDSec Research (research by Dominic Chell), MDSec (28/05/2026). Code, tables and figures below are reproduced verbatim with attribution captions.
Executive Summary
Three years after their original work on VS Code extensions for red-team initial access, MDSec revisits the larger sibling — Visual Studio proper — and finds the…
https://core-jmp.org/2026/05/visual-studio-extensions-revisited-malicious-vsix/
👍5🔥4😱1
CVE-2025-61622: PyFory Insecure Pickle Deserialization to Remote Code Execution
Original text: “CVE-2025-61622: PyFory – Insecure Pickle Deserialization to Remote Code Execution” — SecureLayer7 Blog (May 28, 2026). Code blocks, screenshots and patch diff below are reproduced verbatim with attribution captions.
Executive Summary
CVE-2025-61622 is an unauthenticated remote code execution in PyFory (formerly PyFury / Apache Fory), an open-source high-performance Python serialization framework marketed as…
https://core-jmp.org/2026/05/cve-2025-61622-pyfory-pickle-deserialization-rce/
Original text: “CVE-2025-61622: PyFory – Insecure Pickle Deserialization to Remote Code Execution” — SecureLayer7 Blog (May 28, 2026). Code blocks, screenshots and patch diff below are reproduced verbatim with attribution captions.
Executive Summary
CVE-2025-61622 is an unauthenticated remote code execution in PyFory (formerly PyFury / Apache Fory), an open-source high-performance Python serialization framework marketed as…
https://core-jmp.org/2026/05/cve-2025-61622-pyfory-pickle-deserialization-rce/
😱3🔥1
Calif’s AI Audit of FreeBSD: 15 Kernel Bugs (3 RCEs, 5 LPEs, 1 bhyve Escape) and Three Public CVE Writeups
Original text: “An AI audit of FreeBSD — 15 kernel bugs, including 3 RCEs, 5 LPEs, and 1 bhyve escape” — Calif (publication; no individual byline), blog.calif.io (May 28, 2026). The PoC repositories on GitHub are califio/publications/MADBugs/freebsd. Demo GIFs below are reproduced verbatim with attribution captions.
Executive Summary
Calif — a small AI-security shop —…
https://core-jmp.org/2026/05/calif-ai-audit-freebsd-cve-2026-45250-45251-45253/
Original text: “An AI audit of FreeBSD — 15 kernel bugs, including 3 RCEs, 5 LPEs, and 1 bhyve escape” — Calif (publication; no individual byline), blog.calif.io (May 28, 2026). The PoC repositories on GitHub are califio/publications/MADBugs/freebsd. Demo GIFs below are reproduced verbatim with attribution captions.
Executive Summary
Calif — a small AI-security shop —…
https://core-jmp.org/2026/05/calif-ai-audit-freebsd-cve-2026-45250-45251-45253/
😱5🔥1
Writing Sync, Popping Cron: A Novel SQLite-Injection-to-Cron RCE on Synology BeeStation (CVE-2024-50629/50630/50631)
Original text: “Writing Sync, Popping Cron: DEVCORE’s Synology BeeStation RCE & A Novel SQLite Injection RCE Technique (CVE-2024-50629~50631)” — Kiddo (handle kiddo-pwn), personal blog (November 30, 2025). Underlying vulnerability research is credited to DEVCORE’s Pwn2Own Ireland 2024 entry; the SQLite-into-cron RCE primitive is Kiddo’s N-day contribution. Code blocks, hex dumps, log fragments and figures below…
https://core-jmp.org/2026/05/kiddo-pwn-synology-beestation-sqlite-cron-rce-cve-2024-50629-50631/
Original text: “Writing Sync, Popping Cron: DEVCORE’s Synology BeeStation RCE & A Novel SQLite Injection RCE Technique (CVE-2024-50629~50631)” — Kiddo (handle kiddo-pwn), personal blog (November 30, 2025). Underlying vulnerability research is credited to DEVCORE’s Pwn2Own Ireland 2024 entry; the SQLite-into-cron RCE primitive is Kiddo’s N-day contribution. Code blocks, hex dumps, log fragments and figures below…
https://core-jmp.org/2026/05/kiddo-pwn-synology-beestation-sqlite-cron-rce-cve-2024-50629-50631/
😱3🔥2
Writing Sync, Popping Cron: A Novel SQLite-Injection-to-Cron RCE on Synology BeeStation (CVE-2024-50629/50630/50631)
Original text: “Writing Sync, Popping Cron: DEVCORE’s Synology BeeStation RCE & A Novel SQLite Injection RCE Technique (CVE-2024-50629~50631)” — Kiddo (handle kiddo-pwn), personal blog (November 30, 2025). Underlying vulnerability research is credited to DEVCORE’s Pwn2Own Ireland 2024 entry; the SQLite-into-cron RCE primitive is Kiddo’s N-day contribution. Code blocks, hex dumps, log fragments and figures below…
https://core-jmp.org/2026/05/kiddo-pwn-synology-beestation-sqlite-cron-rce-cve-2024-50629-50631/
Original text: “Writing Sync, Popping Cron: DEVCORE’s Synology BeeStation RCE & A Novel SQLite Injection RCE Technique (CVE-2024-50629~50631)” — Kiddo (handle kiddo-pwn), personal blog (November 30, 2025). Underlying vulnerability research is credited to DEVCORE’s Pwn2Own Ireland 2024 entry; the SQLite-into-cron RCE primitive is Kiddo’s N-day contribution. Code blocks, hex dumps, log fragments and figures below…
https://core-jmp.org/2026/05/kiddo-pwn-synology-beestation-sqlite-cron-rce-cve-2024-50629-50631/
😱5🔥1
Gogs Authenticated RCE via git rebase –exec Argument Injection (Unpatched)
Original text: “Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code” — The Hacker News (May 28, 2026). The deep technical content is drawn from the canonical Rapid7 advisory by Jonah Burgess at rapid7.com. Code snippets and the disclosure timeline below are reproduced verbatim with attribution.
Executive Summary
Rapid7’s Jonah Burgess has disclosed…
https://core-jmp.org/2026/05/gogs-rce-git-rebase-exec-argument-injection-unpatched/
Original text: “Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code” — The Hacker News (May 28, 2026). The deep technical content is drawn from the canonical Rapid7 advisory by Jonah Burgess at rapid7.com. Code snippets and the disclosure timeline below are reproduced verbatim with attribution.
Executive Summary
Rapid7’s Jonah Burgess has disclosed…
https://core-jmp.org/2026/05/gogs-rce-git-rebase-exec-argument-injection-unpatched/
🔥4😱3
Eventvwr.exe UAC Bypass via mscfile: Anatomy of a Classic HKCU Registry Hijack
Original text: “Eventvwr.exe UAC Bypass via mscfile” — S12 – 0x12Dark Development, Medium (May 28, 2026). The bypass technique itself was originally documented publicly in 2016 by Matt Nelson (@enigma0x3); it is catalogued as MITRE ATT&CK technique T1548.002. C++ source, AV scan table and figures below are reproduced verbatim with attribution captions.
Executive Summary
The…
https://core-jmp.org/2026/05/eventvwr-uac-bypass-mscfile-hkcu-hijack/
Original text: “Eventvwr.exe UAC Bypass via mscfile” — S12 – 0x12Dark Development, Medium (May 28, 2026). The bypass technique itself was originally documented publicly in 2016 by Matt Nelson (@enigma0x3); it is catalogued as MITRE ATT&CK technique T1548.002. C++ source, AV scan table and figures below are reproduced verbatim with attribution captions.
Executive Summary
The…
https://core-jmp.org/2026/05/eventvwr-uac-bypass-mscfile-hkcu-hijack/
😱6🔥5
Kernel Karnage Part 1: Patching Windows Kernel Callbacks to Disable EDR from a Driver
Original text: “Kernel Karnage – Part 1” — Sander (@cerbersec), NVISO Labs (21 October 2021). Code blocks and figures below are reproduced verbatim with attribution captions.
Executive Summary
The first post of NVISO Labs’ Kernel Karnage series walks through the opening move of an EDR-bypass research project: write a small Windows kernel driver, locate the…
https://core-jmp.org/2026/06/kernel-karnage-part-1-patching-windows-kernel-callbacks-edr-bypass/
Original text: “Kernel Karnage – Part 1” — Sander (@cerbersec), NVISO Labs (21 October 2021). Code blocks and figures below are reproduced verbatim with attribution captions.
Executive Summary
The first post of NVISO Labs’ Kernel Karnage series walks through the opening move of an EDR-bypass research project: write a small Windows kernel driver, locate the…
https://core-jmp.org/2026/06/kernel-karnage-part-1-patching-windows-kernel-callbacks-edr-bypass/
🔥7
Two-Shot Kernel Shellcode: Bypassing CR4 Pinning With KProbes for Linux Kernel Control-Flow Hijack to Shellcode
Original text: “Revisiting Two-Shot Kernel Shellcode Execution From Control Flow Hijacking” — zolutal, zolutal’s blog (10 February 2026). Code blocks below are reproduced verbatim with attribution captions.
Executive Summary
Andrey Konovalov’s 2017 Project Zero write-up showed a clean way to turn a control-flow hijack on the Linux kernel into shellcode execution: pivot into native_write_cr4 with…
https://core-jmp.org/2026/06/two-shot-kernel-shellcode-cr4-pinning-bypass-kprobes/
Original text: “Revisiting Two-Shot Kernel Shellcode Execution From Control Flow Hijacking” — zolutal, zolutal’s blog (10 February 2026). Code blocks below are reproduced verbatim with attribution captions.
Executive Summary
Andrey Konovalov’s 2017 Project Zero write-up showed a clean way to turn a control-flow hijack on the Linux kernel into shellcode execution: pivot into native_write_cr4 with…
https://core-jmp.org/2026/06/two-shot-kernel-shellcode-cr4-pinning-bypass-kprobes/
👍1🔥1
Bypassing Windows Defender and AMSI: A Practical Defense Evasion Guide for Red Team Operators
Original text: “Обход Windows Defender и AMSI: практический гайд по defense evasion для Red Team” — Сергей Попов, Codeby.net (21 April 2026). Code blocks below are reproduced verbatim with attribution captions.
Executive Summary
Modern Microsoft Defender is not a single antivirus process — it is a stack of independent layers (static engine, kernel-mode filesystem filter,…
https://core-jmp.org/2026/06/bypassing-windows-defender-amsi-defense-evasion-red-team-guide/
Original text: “Обход Windows Defender и AMSI: практический гайд по defense evasion для Red Team” — Сергей Попов, Codeby.net (21 April 2026). Code blocks below are reproduced verbatim with attribution captions.
Executive Summary
Modern Microsoft Defender is not a single antivirus process — it is a stack of independent layers (static engine, kernel-mode filesystem filter,…
https://core-jmp.org/2026/06/bypassing-windows-defender-amsi-defense-evasion-red-team-guide/
👍13🔥3
One Click, One Hash: Unpatched NTLM Coercion in Windows Search URI Handler
Original text by Andrew Schwartz
Key Takeaways
Same bug class. No CVE. No fix. The NTLM coercion primitive in the Windows search: URI handler is technically identical to CVE-2026-33829 in the Snipping Tool. Same severity rating, same mechanism, same potential impact. Microsoft closed it without a CVE or a patch, describing its triage process as…
https://core-jmp.org/2026/06/one-click-one-hash-unpatched-ntlm-coercion-in-windows-search-uri-handler/
Original text by Andrew Schwartz
Key Takeaways
Same bug class. No CVE. No fix. The NTLM coercion primitive in the Windows search: URI handler is technically identical to CVE-2026-33829 in the Snipping Tool. Same severity rating, same mechanism, same potential impact. Microsoft closed it without a CVE or a patch, describing its triage process as…
https://core-jmp.org/2026/06/one-click-one-hash-unpatched-ntlm-coercion-in-windows-search-uri-handler/
🔥13😱5
This media is not supported in your browser
VIEW IN TELEGRAM
Hidden HTTP/2 Bomb
*
FOR
*
WriteUP + LABs + PoCs
*
FOR
nginx, Apache httpd, Microsoft IIS, Envoy, Cloudflare Pingora*
WriteUP + LABs + PoCs
👍9🔥8
Red Team Tactics: Utilizing Syscalls in C# — Writing the Code (Walk-through of Jack Halon’s Direct-Syscall PoC)
Original text: “Red Team Tactics: Utilizing Syscalls in C# – Writing The Code” — Jack Halon, Jack Hacks (16 April 2020, updated). Code blocks and figures below are reproduced verbatim with attribution captions.
Executive Summary
Jack Halon’s second “Utilizing Syscalls in C#” post is the implementation half of the series: take the conceptual understanding of…
https://core-jmp.org/2026/06/red-team-tactics-utilizing-syscalls-in-csharp-writing-the-code/
Original text: “Red Team Tactics: Utilizing Syscalls in C# – Writing The Code” — Jack Halon, Jack Hacks (16 April 2020, updated). Code blocks and figures below are reproduced verbatim with attribution captions.
Executive Summary
Jack Halon’s second “Utilizing Syscalls in C#” post is the implementation half of the series: take the conceptual understanding of…
https://core-jmp.org/2026/06/red-team-tactics-utilizing-syscalls-in-csharp-writing-the-code/
👍4🔥3
Reverse-engineering Valorant’s Vanguard Guarded Regions: PML4 Cloning, CR3 Swaps, and the SwapContext Hook PoC (Walk-through of Xyrem’s Post)
Original text: “In-depth analysis on Valorant’s Guarded Regions” — Xyrem, reversing.info (2023). Code blocks and figures below are reproduced verbatim with attribution captions.
Executive Summary
Riot’s Vanguard anti-cheat keeps a slice of Valorant’s game state in memory that is, from any other process or unprivileged thread’s point of view, simply not mapped. Xyrem’s post walks…
https://core-jmp.org/2026/06/reverse-engineering-valorant-vanguard-guarded-regions-pml4-cr3-swap-context-hook/
Original text: “In-depth analysis on Valorant’s Guarded Regions” — Xyrem, reversing.info (2023). Code blocks and figures below are reproduced verbatim with attribution captions.
Executive Summary
Riot’s Vanguard anti-cheat keeps a slice of Valorant’s game state in memory that is, from any other process or unprivileged thread’s point of view, simply not mapped. Xyrem’s post walks…
https://core-jmp.org/2026/06/reverse-engineering-valorant-vanguard-guarded-regions-pml4-cr3-swap-context-hook/
🔥8👍5