UP-TO-DATE

Blog

Our employees frequently engage in research projects to live up to the high standard. They analyze the latest topics, methods and tools in interesting information security areas and prepare them in this context. The results of these activities contribute, for example, to projects, lectures at conferences, market overviews and articles for technical journals as well in advisories and zero-day vulnerabilities.

Blog Articles

Red Teaming

The Key to COMpromise – Part 4

February 26, 2025 – In this final part of our series on COM hijacking, we will examine a custom-named pipe IPC protocol implemented by Bitdefender Total Security and detail our approach to reverse engineering it. We will explore how we could use COM hijacking and this custom communication to gain SYSTEM privileges (CVE-2023-6154). Additionally, we will examine how to mitigate the vulnerabilities discussed throughout this series of blog posts. Lastly, we will demonstrate how COM hijacking can be exploited to perform a Denial-of-Service (DoS) attack on security products.

Author: Alain Rödel and Kolja Grassmann

Red Teaming

The Key to COMpromise – Part 3

February 12, 2025 – In this third part of our blog post series, we will cover the details of two additional vulnerabilities we found based on COM hijacking. The first vulnerability impacted Webroot Endpoint Protect (CVE-2023-7241), allowing us to leverage an arbitrary file deletion to gain SYSTEM privileges. In the second case, we targeted Checkpoint Harmony (CVE-2024-24912) and used a file download primitive to gain SYSTEM privileges.

Author: Alain Rödel and Kolja Grassmann

Red Teaming

The Key to COMpromise – Part 2

January 29, 2025 – In this post, we will delve into how we exploited trust in AVG Internet Security (CVE-2024-6510) to gain elevated privileges.
But before that, the next section will detail how we overcame an allow-listing mechanism that initially disrupted our COM hijacking attempts.

Author: Alain Rödel and Kolja Grassmann

Red Teaming

TLPT: Bedrohungsorientierte Penetrationstests nach DORA

January 24, 2025 – Since January 17, 2025, the Digital Operational Resilience Act (DORA) has been put into practice. One important aspect of DORA is the requirement of regularly performing threat-led penetration tests (TLPT). Only selected entities within the financial sector are required to conduct TLPTs. Even though TLPTs sound like a new concept, they have actually existed in Germany since 2020 in form of TIBER tests. This blog post describes the concepts behind TLPTs and how they are conducted. Furthermore, alternatives for targeted and budget-oriented red team assessments are given.

Author: Michael Brügge

Red Teaming

The Key to COMpromise – Part 1

January 15, 2025 – In this series of blog posts, we cover how we could exploit five reputable security products to gain SYSTEM privileges with COM hijacking. If you’ve never heard of this, no worries. We introduce all relevant background information, describe our approach to reverse engineering the products’ internals, and explain how we finally exploited the vulnerabilities. We hope to shed some light on this undervalued attack surface.

Author: Alain Rödel and Kolja Grassmann

Identity

Wer hat das Elster-Zertifikat weitergegeben?

December 3, 2024 – The German government has introduced a government-provided electronic identity for its citizens, the BundID. Authentication for this ID can be – among other things – achieved using a certificate file that was introduced for submitting tax returns. However, many citizens share this certificate file either with people that do the taxes for them or with online services that provide easier interfaces for doing your taxes. As a result, many people’s online identities are at risk.

Author: Benjamin Häublein

Research

Advisories

Vulnerability in Mobatek MobaXterm (CVE-2025-0714)

February 17, 2025 – MobaXterm is a toolbox for remote computing.

Vulnerability in Trend Micro Apex One (CVE-2024-55631)

January 8, 2025 – Our colleagues Frederik Reiter and Jan-Luca Gruber found a vulnerability in the Damage Cleanup Engine of Trend Micro Apex One, which allows and attacker to delete a folder with high privileges. This can be leveraged to escalate privileges in the context of SYSTEM.

Vulnerability in HP Hotkey Support (CVE-2024-27458)

October 4, 2024 – The HP HotKey Support (HPHKS) software provides the support for handling the Hotkeys (fixed notebook buttons that provide quick access to a particular function when pressed) for HP’s business Notebooks.

Vulnerability in AVG Internet Security (CVE-2024-6510)

September 12, 2024
AVG Internet Security is an antivirus software marketed to consumers.

Vulnerability in baramundi Management Agent (CVE-2024-6689)

July 15, 2024
The baramundi Management Agent is used for software distribution in enterprise environments.

Vulnerability in Checkpoint Harmony (CVE-2024-24912)

May 1, 2024
Checkpoint Harmony is an enterprise security software protecting customers from malware.

Vulnerabilities

cirosec conducts vulnerability research into products and services, which at times results in zero-day vulnerabilities being discovered.

cirosec follows a responsible disclosure policy when dealing with zero-day vulnerabilities found during research or customer projects. The goal is to balance the need of giving the vendor or open-source project enough time to develop and distribute a fix for the vulnerability with the need of the public to know about the security vulnerability. The policy is in accordance with industry-standard responsible disclosure practices. Our responsible disclosure policy can be found here.

Below is a list of CVEs vulnerabilities identified or assigned by cirosec and presented here for reference and cataloguing.

Vulnerability	CVE	CVSS Score	Publication Date	More Details
Vulnerability in Elaborate Bytes Virtual Clone Drive [ext]	CVE-2025-1865	7.8 (CVSS v3.1)	April 4, 2025	Changelog
Vulnerability in Mobatek MobaXterm	CVE-2025-0714	6.5 (CVSS v3.1)	February 17, 2025	Advisory
Vulnerability in Intel AMT	CVE-2024-38307	7.7 (CVSS v3.1)	February 11, 2025	Intel
Vulnerability in G DATA Management Server [ext]	CVE-2025-0542	7.8 (CVSS v3.1)	January 24, 2025	Advisory
Vulnerability in G DATA Security Client [ext]	CVE-2025-0543	7.8 (CVSS v3.1)	January 24, 2025	Advisory
Vulnerability in Trend Micro Apex One	CVE-2024-55631	7.8 (CVSS v3.1)	January 8, 2025	Advisory, Trend Micro
Vulnerability in HP Hotkey Support	CVE-2024-27458	8.8 (CVSS v3.1)	October 4, 2024	Advisory, HP
Vulnerability in AVG Internet Security	CVE-2024-6510	7.8 (CVSS v3.1)	September 12, 2024	Advisory
Vulnerability in Overwolf	CVE-2024-7834	7.8 (CVSS v3.1)	September 4, 2024	Advisory
Vulnerability in baramundi Management Agent	CVE-2024-6689	7.8 (CVSS v3.1)	July 15, 2024	Advisory, baramundi
Vulnerability in Trend Micro Apex One	CVE-2024-36302	7.8 (CVSS v3.1)	July 1, 2024	ZDI-Advisory, Trend Micro
Vulnerability in Checkpoint Harmony	CVE-2024-24912	7.8 (CVSS v3.1)	May 1, 2024	Advisory, Checkpoint
Vulnerability in Webroot Antivirus	CVE-2023-7241	7.8 (CVSS v3.1)	May 1, 2024	Advisory, Webroot
Vulnerability in Bitdefender	CVE-2023-6154	7.8 (CVSS v3.1)	April 1, 2024	Advisory, Bitdefender
Vulnerability in neo42 Sumatra PDF Package		7.8 (CVSS v3.1)	November 7, 2023	Advisory
Vulnerability in Bytello Share		7.8 (CVSS v3.1)	November 6, 2023	Advisory
Vulnerability in Kiteworks OwnCloud	CVE-2023-7273	6.8 (CVSS v3.1)	November 4, 2023	Advisory
Vulnerability in VMware Workstation	CVE-2023-20854	7.8 (CVSS v3.1)	February 3, 2023	Advisory, VMware
Vulnerability in Remote Access Software from RealVNC	CVE-2022-41975	7.8 (CVSS v3.1)	September 30, 2022	Advisory, RealVNC

Blogs - Overview

Title	Author	Publication Date	Category
The Key to COMpromise – Part 3	Alain Rödel and Kolja Grassmann	February 12, 2025	Red Teaming
The Key to COMpromise – Part 2	Alain Rödel and Kolja Grassmann	January 15, 2025	Red Teaming
TLPT: Bedrohungsorientierte Penetrationstests nach DORA	Michael Brügge	January 24, 2025	Red Teaming
The Key to COMpromise Part 1	Alain Rödel and Kolja Grassmann	January 15, 2025	Red Teaming
Wer hat das Elster-Zertifikat weitergegeben?	Benjamin Häublein	December 3, 2024	Identity
Google DoC2	Frederik Reiter	November 7, 2024	Command-and-Control, Red Teaming
Abusing Microsoft Warbird for Shellcode Execution	Jan-Luca Gruber & Frederik Reiter	November 7, 2024	Red Teaming, Reverse Engineering, Windows
Inside the NAC Pi	Leon Schmidt	July 5, 2024	Red Teaming
Loader Dev. 5 – Loading our payload	Kolja Grassmann	May 10, 2024	Red Teaming
Loader Dev. 4 – AMSI and ETW	Kolja Grassmann	April 30, 2024	Red Teaming
Loader Dev. 3 – Evading userspace hooks	Kolja Grassmann	April 10, 2024	Red Teaming
Loader Dev. 2 – Dynamically resolving functions	Kolja Grassmann	March 10, 2024	Red Teaming
Loader Dev. 1 – Basics	Kolja Grassmann	February 10, 2024	Red Teaming
Microsoft Tiering Model – Part 3/3	Hagen Molzer	January 10, 2024	AD Security
Microsoft Tiering Model – Part 2/3	Hagen Molzer	December 10, 2023	AD Security
Microsoft Tiering Model – Part 1/3	Hagen Molzer	November 10, 2023	AD Security

Your contact person

Daniela Strobel
daniela.strobel@cirosec.de
+49 7131 59455-60

Do you want to protect your systems? Feel free to get in touch with us.

Competent IT security consulting, pentests, incident response and training

cirosec GmbH
Ferdinand-Braun-Straße 4
74074 Heilbronn, Germany

UP-TO-DATE

Blog

Blog Articles

The Key to COMpromise – Part 4

The Key to COMpromise – Part 3

The Key to COMpromise – Part 2

TLPT: Bedrohungsorientierte Penetrationstests nach DORA

The Key to COMpromise – Part 1

Wer hat das Elster-Zertifikat weitergegeben?

Research

Advisories

Vulnerability in Mobatek MobaXterm (CVE-2025-0714)

Vulnerability in Trend Micro Apex One (CVE-2024-55631)

Vulnerability in HP Hotkey Support (CVE-2024-27458)

Vulnerability in AVG Internet Security (CVE-2024-6510)

Vulnerability in baramundi Management Agent (CVE-2024-6689)

Vulnerability in Checkpoint Harmony (CVE-2024-24912)

Vulnerabilities

Blogs - Overview

Your contact person

Quicklinks

Social Media

Legal