"The enemy does not care what systems were in scope for testing. Protect your weak points." - The Art of Cyber War

📰 SecLinks #

Executing arbitrary Python code from a comment

Cloud Build Race Condition Bypass – A subtle race condition in Google Cloud Build's GitHub integration could bypass maintainer review for pull request tests, highlighting critical access control risks in CI/CD systems. Read More

CrushFTP RCE via DMZ Proxy Flaw – CVE-2025-54309 exploited security check failures in CrushFTP's DMZ proxy, bypassing protections for the internal admin server. Read More

Hijacking Multi-Agent System Risks – Multi-agent systems (MASs) face failures from unknown components, paralleling distributed system vulnerabilities, enabling new exploit avenues. Read More

PyPI Phishing Attack Incident Report – A recent campaign targeted PyPI users via email, prompting awareness and initial details about the attack vector. Read More

AI Prompt Injection Risks and Mitigation – With rising LLM adoption, prompt injection poses new threats; an example illustrates real-world exploitation and defensive strategies. Read More

Pixel 8 Kernel Debugging via KGDB Guide – Techniques include building custom kernels, breaking into KGDB using ADB or serial connections, and attaching GDB for debugging. Read More

Semgrep Adoption Strategies and MAS Risks – Introducing Semgrep requires organizational planning for security gains, while multi-agent systems face distributed failure risks akin to traditional infrastructure. [Read More](https://blog.trailofbits.com/2024/01/12/how-to-introduce-semgrep-to-your-organization/?ref=https://rosecurify.com/seclog-137

TerraMaster NAS Firmware Extraction to RCE – Firmware extraction and PHP analysis led to remote code execution on TerraMaster NAS devices, starting from an IoT security research idea. Read More

Gemini CLI Silent Code Execution Risk – A silent attack on Gemini CLI combined improper validation, prompt injection, and misleading UX to execute malicious commands during untrusted code inspection. Read More

Critical Base44 Vulnerability Exposes Private Apps – A flaw in the AI "vibe coding" platform Base44 allowed unauthorized access to users' private applications, identified by Wiz Research. Read More

PyPI Phishing Attack Incident Report – A recent campaign targeted PyPI users via email, prompting awareness and initial details about the attack vector. Read More

💻 SecGit #

rb-x/penflow: A visual methodology tracking platform tailored for offensive security assessments

Proton's Lumo AI Assistant Prompt – Defines a cat-like, upbeat AI personality with guidelines for curiosity and respectful user interactions. Explore on GitHub

Java RMI Vulnerability Scanner Tool – Remote-Method-Guesser identifies and exploits vulnerabilities in Java RMI services efficiently. Explore on GitHub

Amazon MWAA Remote Code Execution – Details an RCE vulnerability in Amazon Managed Workflows for Apache Airflow (MWAA). Explore on GitHub

S3DNS: Cloud Bucket Discovery Tool – Acts as a DNS server to identify AWS/GCP/Azure buckets, following CNAMEs and matching patterns during surfing. Explore on GitHub

CVE.ICU Project Code Release – Hosts the source code for the CVE.ICU initiative, though specifics remain sparse from the highlight. Explore on GitHub

Pwnat: Firewall/NAT Hole-Punching – Exploits NAT translation tables to connect clients/servers behind separate NATs without third-party tools. Explore on GitHub

← Back to Seclog