Our employees frequently engage in research projects to live up to the high standard. They analyze the latest topics, methods and tools in interesting information security areas and prepare them in this context. The results of these activities contribute, for example, to projects, lectures at conferences, market overviews and articles for technical journals as well in advisories and zero-day vulnerabilities.
February 10, 2026 – In this blog post we will cover ICs from a more theoretical standpoint. Mainly restrictions on unsetting them, how set ICs can be detected and how new ones can be prevented from being set. Spoiler: this is not entirely possible.
Author: Lino Facco
January 28, 2026 – In this third part of the blog series, you will learn how to inject shellcode into processes with ICs as an execution mechanism without creating any new threads for your payload and without installing a vectored exception handler.
Author: Lino Facco
December 4, 2025 – This is the third post in a series of blog posts on how we implemented support for Beacon Object Files (BOFs) into our own command and control (C2) beacon using the Mythic framework. In this final post, we will provide insights into the development of our BOF loader as implemented in our Mythic beacon. We will demonstrate how we used the experimental Mythic Forge to circumvent the dependency on Aggressor Script – a challenge that other C2 frameworks were unable to resolve this easily.
Author: Leon Schmidt
December 3, 2025 – Last week, the German Kraftfahrt-Bundesamt (German Federal Motor Transport Authority) presented the new i-Kfz app. This is linked to the hope that it will reduce bureaucracy. Read here to find out if it works as intended.
Author: Julian Lemmerich
November 27, 2025 – This is the second post in a series of blog posts on how we implemented support for Beacon Object Files (BOFs) into our own command and control (C2) beacon using the Mythic framework. In this second post, we will present some concrete BOF implementations to show how they are used in the wild and how powerful they can be.
Author: Leon Schmidt
November 26, 2025 – Regarding the Node Package Manager (npm) supply chain attack that started November 21, 2025, and affected thousands of packages, we have collected and identified corresponding hashes to make them publicly available in one single place for easier access.
Author: Niklas Vömel, Felix Friedberger
July 21, 2025 – Journey is a journaling app for iOS that stores personal entries and media.
July 21, 2025 – Journey is a journaling app for iOS that stores personal entries and media.
May 15, 2025 – An improper access control vulnerability was identified in the file download functionality.
May 15, 2025 – A path traversal vulnerability in the file download functionality was identified.
February 17, 2025 – MobaXterm is a toolbox for remote computing.
January 8, 2025 – Our colleagues Frederik Reiter and Jan-Luca Gruber found a vulnerability in the Damage Cleanup Engine of Trend Micro Apex One, which allows and attacker to delete a folder with high privileges. This can be leveraged to escalate privileges in the context of SYSTEM.
cirosec conducts vulnerability research into products and services, which at times results in zero-day vulnerabilities being discovered.
cirosec follows a responsible disclosure policy when dealing with zero-day vulnerabilities found during research or customer projects. The goal is to balance the need of giving the vendor or open-source project enough time to develop and distribute a fix for the vulnerability with the need of the public to know about the security vulnerability. The policy is in accordance with industry-standard responsible disclosure practices. Our responsible disclosure policy can be found here.
Below is a list of CVEs vulnerabilities identified or assigned by cirosec and presented here for reference and cataloguing.
| Vulnerability | CVE | CVSS Score | Publication Date | More Details |
| Vulnerability in Two App Studio Journey | CVE-2025-41459 | 7.8 (CVSS v3.1) | July 21, 2025 | Advisory |
| Vulnerability in Two App Studio Journey | CVE-2025-41458 | 5.5 (CVSS v3.1) | July 21, 2025 | Advisory |
| Vulnerability in SYNCPILOT LIVE CONTRACT | CVE-2025-2306 | 5.9 (CVSS v3.1) | May 15, 2025 | Advisory |
| Vulnerability in SYNCPILOT LIVE CONTRACT | CVE-2025-2305 | 8.6 (CVSS v3.1) | May 15, 2025 | Advisory |
| Vulnerability in Elaborate Bytes Virtual Clone Drive [ext] | CVE-2025-1865 | 7.8 (CVSS v3.1) | April 4, 2025 | Changelog |
| Vulnerability in Mobatek MobaXterm | CVE-2025-0714 | 6.5 (CVSS v3.1) | February 17, 2025 | Advisory |
| Vulnerability in Intel AMT | CVE-2024-38307 | 7.7 (CVSS v3.1) | February 11, 2025 | Intel |
| Vulnerability in G DATA Management Server [ext] | CVE-2025-0542 | 7.8 (CVSS v3.1) | January 24, 2025 | Advisory |
| Vulnerability in G DATA Security Client [ext] | CVE-2025-0543 | 7.8 (CVSS v3.1) | January 24, 2025 | Advisory |
| Vulnerability in Trend Micro Apex One | CVE-2024-55631 | 7.8 (CVSS v3.1) | January 8, 2025 | Advisory, Trend Micro |
| Vulnerability in HP Hotkey Support | CVE-2024-27458 | 8.8 (CVSS v3.1) | October 4, 2024 | Advisory, HP |
| Vulnerability in AVG Internet Security | CVE-2024-6510 | 7.8 (CVSS v3.1) | September 12, 2024 | Advisory |
| Vulnerability in Overwolf | CVE-2024-7834 | 7.8 (CVSS v3.1) | September 4, 2024 | Advisory |
| Vulnerability in baramundi Management Agent | CVE-2024-6689 | 7.8 (CVSS v3.1) | July 15, 2024 | Advisory, baramundi |
| Vulnerability in Trend Micro Apex One | CVE-2024-36302 | 7.8 (CVSS v3.1) | July 1, 2024 | ZDI-Advisory, Trend Micro |
| Vulnerability in Checkpoint Harmony | CVE-2024-24912 | 7.8 (CVSS v3.1) | May 1, 2024 | Advisory, Checkpoint |
| Vulnerability in Webroot Antivirus | CVE-2023-7241 | 7.8 (CVSS v3.1) | May 1, 2024 | Advisory, Webroot |
| Vulnerability in Bitdefender | CVE-2023-6154 | 7.8 (CVSS v3.1) | April 1, 2024 | Advisory, Bitdefender |
| Vulnerability in neo42 Sumatra PDF Package | 7.8 (CVSS v3.1) | November 7, 2023 | Advisory | |
| Vulnerability in Bytello Share | 7.8 (CVSS v3.1) | November 6, 2023 | Advisory | |
| Vulnerability in Kiteworks OwnCloud | CVE-2023-7273 | 6.8 (CVSS v3.1) | November 4, 2023 | Advisory |
| Vulnerability in VMware Workstation | CVE-2023-20854 | 7.8 (CVSS v3.1) | February 3, 2023 | Advisory, VMware |
| Vulnerability in Remote Access Software from RealVNC | CVE-2022-41975 | 7.8 (CVSS v3.1) | September 30, 2022 | Advisory, RealVNC |
| Title | Author | Publication Date | Category |
| Windows Instrumentation Callbacks – Part 4 | Lino Facco | February 10, 2026 | Red Teaming, Reverse Engineering, Windows |
| Windows Instrumentation Callbacks – Part 3 | Lino Facco | January 28, 2026 | Red Teaming, Reverse Engineering, Windows |
| Die neue i-Kfz-App für den digitalen Fahrzeugschein | Julian Lemmerich | December 3, 2025 | Digitalization, Identity, Mobile Security |
| Beacon Object Files for Mythic – Part 2 | Leon Schmidt | November 27, 2025 | Red Teaming, Command-And-Control |
| A collection of Shai-Hulud 2.0 IoCs | Niklas Vömel & Felix Friedberger | November 27, 2025 | Forensic, Incident Handling |
| Beacon Object Files for Mythic – Part 1 | Leon Schmidt | November 19, 2025 | Red Teaming, Command-And-Control |
| Windows Instrumentation Callback – Part 2 | Lino Facco | November 12, 2025 | Red Teaming, Reverse Engineering, Windows |
| Windows Instrumentation Callbacks – Part 1 | Lino Facco | November 5, 2025 | Red Teaming, Reverse Engineering, Windows |
| IOCs of the npm crypto stealer supply chain incident | Niklas Vömel | September 25, 2025 | Forensic, Incident Handling |
| Effektive Governance-Strategien im Red Teaming | Hannes Allmann | June 30, 2025 | Red Teaming |
| The Key to COMpromise – Part 4 | Alain Rödel and Kolja Grassmann | February 26, 2025 | Red Teaming |
| The Key to COMpromise – Part 3 | Alain Rödel and Kolja Grassmann | February 12, 2025 | Red Teaming |
| The Key to COMpromise – Part 2 | Alain Rödel and Kolja Grassmann | January 15, 2025 | Red Teaming |
| TLPT: Bedrohungsorientierte Penetrationstests nach DORA | Michael Brügge | January 24, 2025 | Red Teaming |
| The Key to COMpromise Part 1 | Alain Rödel and Kolja Grassmann | January 15, 2025 | Red Teaming |
| Wer hat das Elster-Zertifikat weitergegeben? | Benjamin Häublein | December 3, 2024 | Identity |
| Google DoC2 | Frederik Reiter | November 7, 2024 | Command-and-Control, Red Teaming |
| Abusing Microsoft Warbird for Shellcode Execution | Jan-Luca Gruber & Frederik Reiter | November 7, 2024 | Red Teaming, Reverse Engineering, Windows |
| Inside the NAC Pi | Leon Schmidt | July 5, 2024 | Red Teaming |
| Loader Dev. 5 – Loading our payload | Kolja Grassmann | May 10, 2024 | Red Teaming |
| Loader Dev. 4 – AMSI and ETW | Kolja Grassmann | April 30, 2024 | Red Teaming |
| Loader Dev. 3 – Evading userspace hooks | Kolja Grassmann | April 10, 2024 | Red Teaming |
| Loader Dev. 2 – Dynamically resolving functions | Kolja Grassmann | March 10, 2024 | Red Teaming |
| Loader Dev. 1 – Basics | Kolja Grassmann | February 10, 2024 | Red Teaming |
| Microsoft Tiering Model – Part 3/3 | Hagen Molzer | January 10, 2024 | AD Security |
| Microsoft Tiering Model – Part 2/3 | Hagen Molzer | December 10, 2023 | AD Security |
| Microsoft Tiering Model – Part 1/3 | Hagen Molzer | November 10, 2023 | AD Security |
