Pentesting
Penetration Testing LLM Web Apps: Common Pitfalls
April 14, 2026 – This article focuses exclusively on penetration testing applications that use off-the-shelf LLM models through inference APIs.
Author: Felix Friedberger
UP-TO-DATE
Blog
Our employees frequently engage in research projects to live up to the high standard. They analyze the latest topics, methods and tools in interesting information security areas and prepare them in this context. The results of these activities contribute, for example, to projects, lectures at conferences, market overviews and articles for technical journals as well in advisories and zero-day vulnerabilities.
Blog Articles
Azure
Auditieren von M365 und Azure
March 24, 2026 – Entra ID und Azure sind ein eigener Kosmos, der viele Möglichkeiten aber auch viele Stolperfallen hinsichtlich der Sicherheit mit sich bringt. Entra ID und Azure sicher zu betreiben, ist eine Kunst für sich und stellt viele IT-Abteilungen vor große Herausforderungen. In diesem Blogpost soll es darum gehen, wie man diesem Problem Herr werden kann.
Author: Constantin Wenz
Forensic
How Attackers Abuse Bubbleapps.io to Phish German Businesses
February 25, 2026 – This post breaks down the full attack chain, from initial phishing emails to credential harvesting and remote access malware and maps out some of the infrastructure behind it.
Author: Felix Friedberger
Red Teaming
Windows Instrumentation Callbacks – Part 4
February 10, 2026 – In this blog post we will cover ICs from a more theoretical standpoint. Mainly restrictions on unsetting them, how set ICs can be detected and how new ones can be prevented from being set. Spoiler: this is not entirely possible.
Author: Lino Facco
Reverse Engineering
Windows Instrumentation Callbacks – Part 3
January 28, 2026 – In this third part of the blog series, you will learn how to inject shellcode into processes with ICs as an execution mechanism without creating any new threads for your payload and without installing a vectored exception handler.
Author: Lino Facco
Command-and-Control
Beacon Object Files for Mythic – Part 3
December 4, 2025 – This is the third post in a series of blog posts on how we implemented support for Beacon Object Files (BOFs) into our own command and control (C2) beacon using the Mythic framework. In this final post, we will provide insights into the development of our BOF loader as implemented in our Mythic beacon. We will demonstrate how we used the experimental Mythic Forge to circumvent the dependency on Aggressor Script – a challenge that other C2 frameworks were unable to resolve this easily.
Author: Leon Schmidt
Advisories
Vulnerability in Two App Studio Journey (CVE-2025-41459)
July 21, 2025 – Journey is a journaling app for iOS that stores personal entries and media.
Vulnerability in Two App Studio Journey (CVE-2025-41458)
July 21, 2025 – Journey is a journaling app for iOS that stores personal entries and media.
Vulnerability in SYNCPILOT LIVE CONTRACT (CVE-2025-2306)
May 15, 2025 – An improper access control vulnerability was identified in the file download functionality.
Vulnerability in SYNCPILOT LIVE CONTRACT (CVE-2025-2305)
May 15, 2025 – A path traversal vulnerability in the file download functionality was identified.
Vulnerability in Mobatek MobaXterm (CVE-2025-0714)
February 17, 2025 – MobaXterm is a toolbox for remote computing.
Vulnerability in Trend Micro Apex One (CVE-2024-55631)
January 8, 2025 – Our colleagues Frederik Reiter and Jan-Luca Gruber found a vulnerability in the Damage Cleanup Engine of Trend Micro Apex One, which allows and attacker to delete a folder with high privileges. This can be leveraged to escalate privileges in the context of SYSTEM.
Vulnerabilities
cirosec conducts vulnerability research into products and services, which at times results in zero-day vulnerabilities being discovered.
cirosec follows a responsible disclosure policy when dealing with zero-day vulnerabilities found during research or customer projects. The goal is to balance the need of giving the vendor or open-source project enough time to develop and distribute a fix for the vulnerability with the need of the public to know about the security vulnerability. The policy is in accordance with industry-standard responsible disclosure practices. Our responsible disclosure policy can be found here.
Below is a list of CVEs vulnerabilities identified or assigned by cirosec and presented here for reference and cataloguing.
| Vulnerability | CVE | CVSS Score | Publication Date | More Details |
| Vulnerability in Two App Studio Journey | CVE-2025-41459 | 7.8 (CVSS v3.1) | July 21, 2025 | Advisory |
| Vulnerability in Two App Studio Journey | CVE-2025-41458 | 5.5 (CVSS v3.1) | July 21, 2025 | Advisory |
| Vulnerability in SYNCPILOT LIVE CONTRACT | CVE-2025-2306 | 5.9 (CVSS v3.1) | May 15, 2025 | Advisory |
| Vulnerability in SYNCPILOT LIVE CONTRACT | CVE-2025-2305 | 8.6 (CVSS v3.1) | May 15, 2025 | Advisory |
| Vulnerability in Elaborate Bytes Virtual Clone Drive [ext] | CVE-2025-1865 | 7.8 (CVSS v3.1) | April 4, 2025 | Changelog |
| Vulnerability in Mobatek MobaXterm | CVE-2025-0714 | 6.5 (CVSS v3.1) | February 17, 2025 | Advisory |
| Vulnerability in Intel AMT | CVE-2024-38307 | 7.7 (CVSS v3.1) | February 11, 2025 | Intel |
| Vulnerability in G DATA Management Server [ext] | CVE-2025-0542 | 7.8 (CVSS v3.1) | January 24, 2025 | Advisory |
| Vulnerability in G DATA Security Client [ext] | CVE-2025-0543 | 7.8 (CVSS v3.1) | January 24, 2025 | Advisory |
| Vulnerability in Trend Micro Apex One | CVE-2024-55631 | 7.8 (CVSS v3.1) | January 8, 2025 | Advisory, Trend Micro |
| Vulnerability in HP Hotkey Support | CVE-2024-27458 | 8.8 (CVSS v3.1) | October 4, 2024 | Advisory, HP |
| Vulnerability in AVG Internet Security | CVE-2024-6510 | 7.8 (CVSS v3.1) | September 12, 2024 | Advisory |
| Vulnerability in Overwolf | CVE-2024-7834 | 7.8 (CVSS v3.1) | September 4, 2024 | Advisory |
| Vulnerability in baramundi Management Agent | CVE-2024-6689 | 7.8 (CVSS v3.1) | July 15, 2024 | Advisory, baramundi |
| Vulnerability in Trend Micro Apex One | CVE-2024-36302 | 7.8 (CVSS v3.1) | July 1, 2024 | ZDI-Advisory, Trend Micro |
| Vulnerability in Checkpoint Harmony | CVE-2024-24912 | 7.8 (CVSS v3.1) | May 1, 2024 | Advisory, Checkpoint |
| Vulnerability in Webroot Antivirus | CVE-2023-7241 | 7.8 (CVSS v3.1) | May 1, 2024 | Advisory, Webroot |
| Vulnerability in Bitdefender | CVE-2023-6154 | 7.8 (CVSS v3.1) | April 1, 2024 | Advisory, Bitdefender |
| Vulnerability in neo42 Sumatra PDF Package | 7.8 (CVSS v3.1) | November 7, 2023 | Advisory | |
| Vulnerability in Bytello Share | 7.8 (CVSS v3.1) | November 6, 2023 | Advisory | |
| Vulnerability in Kiteworks OwnCloud | CVE-2023-7273 | 6.8 (CVSS v3.1) | November 4, 2023 | Advisory |
| Vulnerability in VMware Workstation | CVE-2023-20854 | 7.8 (CVSS v3.1) | February 3, 2023 | Advisory, VMware |
| Vulnerability in Remote Access Software from RealVNC | CVE-2022-41975 | 7.8 (CVSS v3.1) | September 30, 2022 | Advisory, RealVNC |
Blogs - Overview
| Title | Author | Publication Date | Category |
| Windows Instrumentation Callbacks – Part 4 | Lino Facco | February 10, 2026 | Red Teaming, Reverse Engineering, Windows |
| Windows Instrumentation Callbacks – Part 3 | Lino Facco | January 28, 2026 | Red Teaming, Reverse Engineering, Windows |
| Die neue i-Kfz-App für den digitalen Fahrzeugschein | Julian Lemmerich | December 3, 2025 | Digitalization, Identity, Mobile Security |
| Beacon Object Files for Mythic – Part 2 | Leon Schmidt | November 27, 2025 | Red Teaming, Command-And-Control |
| A collection of Shai-Hulud 2.0 IoCs | Niklas Vömel & Felix Friedberger | November 27, 2025 | Forensic, Incident Handling |
| Beacon Object Files for Mythic – Part 1 | Leon Schmidt | November 19, 2025 | Red Teaming, Command-And-Control |
| Windows Instrumentation Callback – Part 2 | Lino Facco | November 12, 2025 | Red Teaming, Reverse Engineering, Windows |
| Windows Instrumentation Callbacks – Part 1 | Lino Facco | November 5, 2025 | Red Teaming, Reverse Engineering, Windows |
| IOCs of the npm crypto stealer supply chain incident | Niklas Vömel | September 25, 2025 | Forensic, Incident Handling |
| Effektive Governance-Strategien im Red Teaming | Hannes Allmann | June 30, 2025 | Red Teaming |
| The Key to COMpromise – Part 4 | Alain Rödel and Kolja Grassmann | February 26, 2025 | Red Teaming |
| The Key to COMpromise – Part 3 | Alain Rödel and Kolja Grassmann | February 12, 2025 | Red Teaming |
| The Key to COMpromise – Part 2 | Alain Rödel and Kolja Grassmann | January 15, 2025 | Red Teaming |
| TLPT: Bedrohungsorientierte Penetrationstests nach DORA | Michael Brügge | January 24, 2025 | Red Teaming |
| The Key to COMpromise Part 1 | Alain Rödel and Kolja Grassmann | January 15, 2025 | Red Teaming |
| Wer hat das Elster-Zertifikat weitergegeben? | Benjamin Häublein | December 3, 2024 | Identity |
| Google DoC2 | Frederik Reiter | November 7, 2024 | Command-and-Control, Red Teaming |
| Abusing Microsoft Warbird for Shellcode Execution | Jan-Luca Gruber & Frederik Reiter | November 7, 2024 | Red Teaming, Reverse Engineering, Windows |
| Inside the NAC Pi | Leon Schmidt | July 5, 2024 | Red Teaming |
| Loader Dev. 5 – Loading our payload | Kolja Grassmann | May 10, 2024 | Red Teaming |
| Loader Dev. 4 – AMSI and ETW | Kolja Grassmann | April 30, 2024 | Red Teaming |
| Loader Dev. 3 – Evading userspace hooks | Kolja Grassmann | April 10, 2024 | Red Teaming |
| Loader Dev. 2 – Dynamically resolving functions | Kolja Grassmann | March 10, 2024 | Red Teaming |
| Loader Dev. 1 – Basics | Kolja Grassmann | February 10, 2024 | Red Teaming |
| Microsoft Tiering Model – Part 3/3 | Hagen Molzer | January 10, 2024 | AD Security |
| Microsoft Tiering Model – Part 2/3 | Hagen Molzer | December 10, 2023 | AD Security |
| Microsoft Tiering Model – Part 1/3 | Hagen Molzer | November 10, 2023 | AD Security |
Do you want to protect your systems? Feel free to get in touch with us.