Our employees frequently engage in research projects to live up to the high standard. They analyze the latest topics, methods and tools in interesting information security areas and prepare them in this context. The results of these activities contribute, for example, to projects, lectures at conferences, market overviews and articles for technical journals as well in advisories and zero-day vulnerabilities.
November 19, 2025 – This is the first post in a series of blog posts on how we implemented support for Beacon Object Files into our own command and control (C2) beacon using the Mythic framework. In this first post, we will take a look at what Beacon Object Files are, how they work and why they are valuable to us.
Author: Leon Schmidt
November 12, 2025 – In this blog post you will learn how to do patchless hooking using ICs without registering or executing any user mode exception handlers.
Author: Lino Facco
November 5, 2025 – This multi-part blog series will be discussing an undocumented feature of Windows: instrumentation callbacks (ICs).
Author: Lino Facco
September 25, 2025 – Regarding the Node Package Manager (npm) supply chain attack that started September 8, 2025, and affected 27 packages, we have collected and identified corresponding hashes to make them publicly available in one single place for easier access.
Author: Niklas Vömel
June 27, 2025 – This blog post explores effective governance strategies in red teaming, with particular focus on customer consultation, risk management, OPSEC, and the use of AI technologies.
Author: Hannes Allmann
February 26, 2025 – In this final part of our series on COM hijacking, we will examine a custom-named pipe IPC protocol implemented by Bitdefender Total Security and detail our approach to reverse engineering it. We will explore how we could use COM hijacking and this custom communication to gain SYSTEM privileges (CVE-2023-6154). Additionally, we will examine how to mitigate the vulnerabilities discussed throughout this series of blog posts. Lastly, we will demonstrate how COM hijacking can be exploited to perform a Denial-of-Service (DoS) attack on security products.
Author: Alain Rödel and Kolja Grassmann
July 21, 2025 – Journey is a journaling app for iOS that stores personal entries and media.
July 21, 2025 – Journey is a journaling app for iOS that stores personal entries and media.
May 15, 2025 – An improper access control vulnerability was identified in the file download functionality.
May 15, 2025 – A path traversal vulnerability in the file download functionality was identified.
February 17, 2025 – MobaXterm is a toolbox for remote computing.
January 8, 2025 – Our colleagues Frederik Reiter and Jan-Luca Gruber found a vulnerability in the Damage Cleanup Engine of Trend Micro Apex One, which allows and attacker to delete a folder with high privileges. This can be leveraged to escalate privileges in the context of SYSTEM.
cirosec conducts vulnerability research into products and services, which at times results in zero-day vulnerabilities being discovered.
cirosec follows a responsible disclosure policy when dealing with zero-day vulnerabilities found during research or customer projects. The goal is to balance the need of giving the vendor or open-source project enough time to develop and distribute a fix for the vulnerability with the need of the public to know about the security vulnerability. The policy is in accordance with industry-standard responsible disclosure practices. Our responsible disclosure policy can be found here.
Below is a list of CVEs vulnerabilities identified or assigned by cirosec and presented here for reference and cataloguing.
| Vulnerability | CVE | CVSS Score | Publication Date | More Details |
| Vulnerability in Two App Studio Journey | CVE-2025-41459 | 7.8 (CVSS v3.1) | July 21, 2025 | Advisory |
| Vulnerability in Two App Studio Journey | CVE-2025-41458 | 5.5 (CVSS v3.1) | July 21, 2025 | Advisory |
| Vulnerability in SYNCPILOT LIVE CONTRACT | CVE-2025-2306 | 5.9 (CVSS v3.1) | May 15, 2025 | Advisory |
| Vulnerability in SYNCPILOT LIVE CONTRACT | CVE-2025-2305 | 8.6 (CVSS v3.1) | May 15, 2025 | Advisory |
| Vulnerability in Elaborate Bytes Virtual Clone Drive [ext] | CVE-2025-1865 | 7.8 (CVSS v3.1) | April 4, 2025 | Changelog |
| Vulnerability in Mobatek MobaXterm | CVE-2025-0714 | 6.5 (CVSS v3.1) | February 17, 2025 | Advisory |
| Vulnerability in Intel AMT | CVE-2024-38307 | 7.7 (CVSS v3.1) | February 11, 2025 | Intel |
| Vulnerability in G DATA Management Server [ext] | CVE-2025-0542 | 7.8 (CVSS v3.1) | January 24, 2025 | Advisory |
| Vulnerability in G DATA Security Client [ext] | CVE-2025-0543 | 7.8 (CVSS v3.1) | January 24, 2025 | Advisory |
| Vulnerability in Trend Micro Apex One | CVE-2024-55631 | 7.8 (CVSS v3.1) | January 8, 2025 | Advisory, Trend Micro |
| Vulnerability in HP Hotkey Support | CVE-2024-27458 | 8.8 (CVSS v3.1) | October 4, 2024 | Advisory, HP |
| Vulnerability in AVG Internet Security | CVE-2024-6510 | 7.8 (CVSS v3.1) | September 12, 2024 | Advisory |
| Vulnerability in Overwolf | CVE-2024-7834 | 7.8 (CVSS v3.1) | September 4, 2024 | Advisory |
| Vulnerability in baramundi Management Agent | CVE-2024-6689 | 7.8 (CVSS v3.1) | July 15, 2024 | Advisory, baramundi |
| Vulnerability in Trend Micro Apex One | CVE-2024-36302 | 7.8 (CVSS v3.1) | July 1, 2024 | ZDI-Advisory, Trend Micro |
| Vulnerability in Checkpoint Harmony | CVE-2024-24912 | 7.8 (CVSS v3.1) | May 1, 2024 | Advisory, Checkpoint |
| Vulnerability in Webroot Antivirus | CVE-2023-7241 | 7.8 (CVSS v3.1) | May 1, 2024 | Advisory, Webroot |
| Vulnerability in Bitdefender | CVE-2023-6154 | 7.8 (CVSS v3.1) | April 1, 2024 | Advisory, Bitdefender |
| Vulnerability in neo42 Sumatra PDF Package | 7.8 (CVSS v3.1) | November 7, 2023 | Advisory | |
| Vulnerability in Bytello Share | 7.8 (CVSS v3.1) | November 6, 2023 | Advisory | |
| Vulnerability in Kiteworks OwnCloud | CVE-2023-7273 | 6.8 (CVSS v3.1) | November 4, 2023 | Advisory |
| Vulnerability in VMware Workstation | CVE-2023-20854 | 7.8 (CVSS v3.1) | February 3, 2023 | Advisory, VMware |
| Vulnerability in Remote Access Software from RealVNC | CVE-2022-41975 | 7.8 (CVSS v3.1) | September 30, 2022 | Advisory, RealVNC |
| Title | Author | Publication Date | Category |
| Beacon Object Files for Mythic – Part 1 | Leon Schmidt | November 19, 2025 | Red Teaming, Command-And-Control |
| Windows Instrumentation Callbacks – Hooks | Lino Facco | November 12, 2025 | Red Teaming, Reverse Engineering, Windows |
| Windows Instrumentation Callbacks | Lino Facco | November 5, 2025 | Red Teaming, Reverse Engineering, Windows |
| IOCs of the npm crypto stealer supply chain incident | Niklas Vömel | September 25, 2025 | Forensic, Incident Handling |
| Effektive Governance-Strategien im Red Teaming | Hannes Allmann | June 30, 2025 | Red Teaming |
| The Key to COMpromise – Part 3 | Alain Rödel and Kolja Grassmann | February 12, 2025 | Red Teaming |
| The Key to COMpromise – Part 2 | Alain Rödel and Kolja Grassmann | January 15, 2025 | Red Teaming |
| TLPT: Bedrohungsorientierte Penetrationstests nach DORA | Michael Brügge | January 24, 2025 | Red Teaming |
| The Key to COMpromise Part 1 | Alain Rödel and Kolja Grassmann | January 15, 2025 | Red Teaming |
| Wer hat das Elster-Zertifikat weitergegeben? | Benjamin Häublein | December 3, 2024 | Identity |
| Google DoC2 | Frederik Reiter | November 7, 2024 | Command-and-Control, Red Teaming |
| Abusing Microsoft Warbird for Shellcode Execution | Jan-Luca Gruber & Frederik Reiter | November 7, 2024 | Red Teaming, Reverse Engineering, Windows |
| Inside the NAC Pi | Leon Schmidt | July 5, 2024 | Red Teaming |
| Loader Dev. 5 – Loading our payload | Kolja Grassmann | May 10, 2024 | Red Teaming |
| Loader Dev. 4 – AMSI and ETW | Kolja Grassmann | April 30, 2024 | Red Teaming |
| Loader Dev. 3 – Evading userspace hooks | Kolja Grassmann | April 10, 2024 | Red Teaming |
| Loader Dev. 2 – Dynamically resolving functions | Kolja Grassmann | March 10, 2024 | Red Teaming |
| Loader Dev. 1 – Basics | Kolja Grassmann | February 10, 2024 | Red Teaming |
| Microsoft Tiering Model – Part 3/3 | Hagen Molzer | January 10, 2024 | AD Security |
| Microsoft Tiering Model – Part 2/3 | Hagen Molzer | December 10, 2023 | AD Security |
| Microsoft Tiering Model – Part 1/3 | Hagen Molzer | November 10, 2023 | AD Security |
