Red Teaming
Windows Instrumentation Callbacks
November 5, 2025 – This multi-part blog series will be discussing an undocumented feature of Windows: instrumentation callbacks (ICs).
Author: Lino Facco
UP-TO-DATE
Blog
Our employees frequently engage in research projects to live up to the high standard. They analyze the latest topics, methods and tools in interesting information security areas and prepare them in this context. The results of these activities contribute, for example, to projects, lectures at conferences, market overviews and articles for technical journals as well in advisories and zero-day vulnerabilities.
Blog Articles
Forensic
IOCs of the npm crypto stealer supply chain incident
September 25, 2025 – Regarding the Node Package Manager (npm) supply chain attack that started September 8, 2025, and affected 27 packages, we have collected and identified corresponding hashes to make them publicly available in one single place for easier access.
Author: Niklas Vömel
Red Teaming
Effektive Governance-Strategien im Red Teaming
June 27, 2025 – This blog post explores effective governance strategies in red teaming, with particular focus on customer consultation, risk management, OPSEC, and the use of AI technologies.
Author: Hannes Allmann
Red Teaming
The Key to COMpromise – Part 4
February 26, 2025 – In this final part of our series on COM hijacking, we will examine a custom-named pipe IPC protocol implemented by Bitdefender Total Security and detail our approach to reverse engineering it. We will explore how we could use COM hijacking and this custom communication to gain SYSTEM privileges (CVE-2023-6154). Additionally, we will examine how to mitigate the vulnerabilities discussed throughout this series of blog posts. Lastly, we will demonstrate how COM hijacking can be exploited to perform a Denial-of-Service (DoS) attack on security products.
Author: Alain Rödel and Kolja Grassmann
Red Teaming
The Key to COMpromise – Part 3
February 12, 2025 – In this third part of our blog post series, we will cover the details of two additional vulnerabilities we found based on COM hijacking. The first vulnerability impacted Webroot Endpoint Protect (CVE-2023-7241), allowing us to leverage an arbitrary file deletion to gain SYSTEM privileges. In the second case, we targeted Checkpoint Harmony (CVE-2024-24912) and used a file download primitive to gain SYSTEM privileges.
Author: Alain Rödel and Kolja Grassmann
Red Teaming
The Key to COMpromise – Part 2
January 29, 2025 – In this post, we will delve into how we exploited trust in AVG Internet Security (CVE-2024-6510) to gain elevated privileges.
But before that, the next section will detail how we overcame an allow-listing mechanism that initially disrupted our COM hijacking attempts.
Author: Alain Rödel and Kolja Grassmann
Research
Advisories
Vulnerability in Two App Studio Journey (CVE-2025-41459)
July 21, 2025 – Journey is a journaling app for iOS that stores personal entries and media.
Vulnerability in Two App Studio Journey (CVE-2025-41458)
July 21, 2025 – Journey is a journaling app for iOS that stores personal entries and media.
Vulnerability in SYNCPILOT LIVE CONTRACT (CVE-2025-2306)
May 15, 2025 – An improper access control vulnerability was identified in the file download functionality.
Vulnerability in SYNCPILOT LIVE CONTRACT (CVE-2025-2305)
May 15, 2025 – A path traversal vulnerability in the file download functionality was identified.
Vulnerability in Mobatek MobaXterm (CVE-2025-0714)
February 17, 2025 – MobaXterm is a toolbox for remote computing.
Vulnerability in Trend Micro Apex One (CVE-2024-55631)
January 8, 2025 – Our colleagues Frederik Reiter and Jan-Luca Gruber found a vulnerability in the Damage Cleanup Engine of Trend Micro Apex One, which allows and attacker to delete a folder with high privileges. This can be leveraged to escalate privileges in the context of SYSTEM.
Vulnerabilities
cirosec conducts vulnerability research into products and services, which at times results in zero-day vulnerabilities being discovered.
cirosec follows a responsible disclosure policy when dealing with zero-day vulnerabilities found during research or customer projects. The goal is to balance the need of giving the vendor or open-source project enough time to develop and distribute a fix for the vulnerability with the need of the public to know about the security vulnerability. The policy is in accordance with industry-standard responsible disclosure practices. Our responsible disclosure policy can be found here.
Below is a list of CVEs vulnerabilities identified or assigned by cirosec and presented here for reference and cataloguing.
| Vulnerability | CVE | CVSS Score | Publication Date | More Details |
| Vulnerability in Two App Studio Journey | CVE-2025-41459 | 7.8 (CVSS v3.1) | July 21, 2025 | Advisory |
| Vulnerability in Two App Studio Journey | CVE-2025-41458 | 5.5 (CVSS v3.1) | July 21, 2025 | Advisory |
| Vulnerability in SYNCPILOT LIVE CONTRACT | CVE-2025-2306 | 5.9 (CVSS v3.1) | May 15, 2025 | Advisory |
| Vulnerability in SYNCPILOT LIVE CONTRACT | CVE-2025-2305 | 8.6 (CVSS v3.1) | May 15, 2025 | Advisory |
| Vulnerability in Elaborate Bytes Virtual Clone Drive [ext] | CVE-2025-1865 | 7.8 (CVSS v3.1) | April 4, 2025 | Changelog |
| Vulnerability in Mobatek MobaXterm | CVE-2025-0714 | 6.5 (CVSS v3.1) | February 17, 2025 | Advisory |
| Vulnerability in Intel AMT | CVE-2024-38307 | 7.7 (CVSS v3.1) | February 11, 2025 | Intel |
| Vulnerability in G DATA Management Server [ext] | CVE-2025-0542 | 7.8 (CVSS v3.1) | January 24, 2025 | Advisory |
| Vulnerability in G DATA Security Client [ext] | CVE-2025-0543 | 7.8 (CVSS v3.1) | January 24, 2025 | Advisory |
| Vulnerability in Trend Micro Apex One | CVE-2024-55631 | 7.8 (CVSS v3.1) | January 8, 2025 | Advisory, Trend Micro |
| Vulnerability in HP Hotkey Support | CVE-2024-27458 | 8.8 (CVSS v3.1) | October 4, 2024 | Advisory, HP |
| Vulnerability in AVG Internet Security | CVE-2024-6510 | 7.8 (CVSS v3.1) | September 12, 2024 | Advisory |
| Vulnerability in Overwolf | CVE-2024-7834 | 7.8 (CVSS v3.1) | September 4, 2024 | Advisory |
| Vulnerability in baramundi Management Agent | CVE-2024-6689 | 7.8 (CVSS v3.1) | July 15, 2024 | Advisory, baramundi |
| Vulnerability in Trend Micro Apex One | CVE-2024-36302 | 7.8 (CVSS v3.1) | July 1, 2024 | ZDI-Advisory, Trend Micro |
| Vulnerability in Checkpoint Harmony | CVE-2024-24912 | 7.8 (CVSS v3.1) | May 1, 2024 | Advisory, Checkpoint |
| Vulnerability in Webroot Antivirus | CVE-2023-7241 | 7.8 (CVSS v3.1) | May 1, 2024 | Advisory, Webroot |
| Vulnerability in Bitdefender | CVE-2023-6154 | 7.8 (CVSS v3.1) | April 1, 2024 | Advisory, Bitdefender |
| Vulnerability in neo42 Sumatra PDF Package | 7.8 (CVSS v3.1) | November 7, 2023 | Advisory | |
| Vulnerability in Bytello Share | 7.8 (CVSS v3.1) | November 6, 2023 | Advisory | |
| Vulnerability in Kiteworks OwnCloud | CVE-2023-7273 | 6.8 (CVSS v3.1) | November 4, 2023 | Advisory |
| Vulnerability in VMware Workstation | CVE-2023-20854 | 7.8 (CVSS v3.1) | February 3, 2023 | Advisory, VMware |
| Vulnerability in Remote Access Software from RealVNC | CVE-2022-41975 | 7.8 (CVSS v3.1) | September 30, 2022 | Advisory, RealVNC |
Blogs - Overview
| Title | Author | Publication Date | Category |
| IOCs of the npm crypto stealer supply chain incident | Niklas Vömel | September 25, 2025 | Forensic, Incident Handling |
| Effektive Governance-Strategien im Red Teaming | Hannes Allmann | June 30, 2025 | Red Teaming |
| The Key to COMpromise – Part 3 | Alain Rödel and Kolja Grassmann | February 12, 2025 | Red Teaming |
| The Key to COMpromise – Part 2 | Alain Rödel and Kolja Grassmann | January 15, 2025 | Red Teaming |
| TLPT: Bedrohungsorientierte Penetrationstests nach DORA | Michael Brügge | January 24, 2025 | Red Teaming |
| The Key to COMpromise Part 1 | Alain Rödel and Kolja Grassmann | January 15, 2025 | Red Teaming |
| Wer hat das Elster-Zertifikat weitergegeben? | Benjamin Häublein | December 3, 2024 | Identity |
| Google DoC2 | Frederik Reiter | November 7, 2024 | Command-and-Control, Red Teaming |
| Abusing Microsoft Warbird for Shellcode Execution | Jan-Luca Gruber & Frederik Reiter | November 7, 2024 | Red Teaming, Reverse Engineering, Windows |
| Inside the NAC Pi | Leon Schmidt | July 5, 2024 | Red Teaming |
| Loader Dev. 5 – Loading our payload | Kolja Grassmann | May 10, 2024 | Red Teaming |
| Loader Dev. 4 – AMSI and ETW | Kolja Grassmann | April 30, 2024 | Red Teaming |
| Loader Dev. 3 – Evading userspace hooks | Kolja Grassmann | April 10, 2024 | Red Teaming |
| Loader Dev. 2 – Dynamically resolving functions | Kolja Grassmann | March 10, 2024 | Red Teaming |
| Loader Dev. 1 – Basics | Kolja Grassmann | February 10, 2024 | Red Teaming |
| Microsoft Tiering Model – Part 3/3 | Hagen Molzer | January 10, 2024 | AD Security |
| Microsoft Tiering Model – Part 2/3 | Hagen Molzer | December 10, 2023 | AD Security |
| Microsoft Tiering Model – Part 1/3 | Hagen Molzer | November 10, 2023 | AD Security |
Do you want to protect your systems? Feel free to get in touch with us.