UP-TO-DATE

Blog

Our employees frequently engage in research projects to live up to the high standard. They analyze the latest topics, methods and tools in interesting information security areas and prepare them in this context. The results of these activities contribute, for example, to projects, lectures at conferences, market overviews and articles for technical journals as well in advisories and zero-day vulnerabilities.

Blog Articles

Forensic

Analysis of a credential-stealer malware campaign – Part 1

May 20, 2026 – In March 2026, cirosec identified an ongoing malware campaign targeting developers, IT professionals, and power users who rely on popular open-source and productivity tools. The campaign is only accessible using the Bing search engine. Once executed, the malware exfiltrates browser credential stores, cryptocurrency wallet data, authentication tokens, VPN and SSH configurations, and sensitive documents.

Author: Colin Glätzer, Konrad Weyhing, Felix Friedberger

Pentesting

Reifegrad für Sicherheitsüberprüfungen

11. Mai 2026 – Eine kurze Zusammenfassung unseres Vortrags bei den cirosec-TrendTagen zu Pentesting, Assumed Breach, Red Teaming, TLPT & Co.

Author: Michael Brügge

Kubernetes

The seven seas of Kubernetes security

May 5, 2026 – Today a single malicious container image could be enough to take over a larger fleet of machines and grant an attacker control over confidentiality, integrity and availability of all the workloads running in a Kubernetes cluster and potentially beyond, since clusters often hold secrets and credentials for external services and infrastructure. In this article we outline a set of key security domains that organizations should address to secure Kubernetes effectively.

Author: Christoffer Albrecht

Pentesting

Penetration Testing LLM Web Apps: Common Pitfalls

April 14, 2026 – This article focuses exclusively on penetration testing applications that use off-the-shelf LLM models through inference APIs.

Author: Felix Friedberger

Azure

Auditieren von M365 und Azure

March 24, 2026 – Entra ID und Azure sind ein eigener Kosmos, der viele Möglichkeiten aber auch viele Stolperfallen hinsichtlich der Sicherheit mit sich bringt. Entra ID und Azure sicher zu betreiben, ist eine Kunst für sich und stellt viele IT-Abteilungen vor große Herausforderungen. In diesem Blogpost soll es darum gehen, wie man diesem Problem Herr werden kann.

Author: Constantin Wenz

Forensic

How Attackers Abuse Bubbleapps.io to Phish German Businesses

February 25, 2026 – This post breaks down the full attack chain, from initial phishing emails to credential harvesting and remote access malware and maps out some of the infrastructure behind it.

Author: Felix Friedberger

Advisories

Vulnerability in Two App Studio Journey (CVE-2025-41459)

July 21, 2025 – Journey is a journaling app for iOS that stores personal entries and media.

Vulnerability in Two App Studio Journey (CVE-2025-41458)

July 21, 2025 – Journey is a journaling app for iOS that stores personal entries and media.

Vulnerability in SYNCPILOT LIVE CONTRACT (CVE-2025-2306)

May 15, 2025 – An improper access control vulnerability was identified in the file download functionality.

Vulnerability in SYNCPILOT LIVE CONTRACT (CVE-2025-2305)

May 15, 2025 – A path traversal vulnerability in the file download functionality was identified.

Vulnerability in Mobatek MobaXterm (CVE-2025-0714)

February 17, 2025 – MobaXterm is a toolbox for remote computing.

Vulnerability in Trend Micro Apex One (CVE-2024-55631)

January 8, 2025 – Our colleagues Frederik Reiter and Jan-Luca Gruber found a vulnerability in the Damage Cleanup Engine of Trend Micro Apex One, which allows and attacker to delete a folder with high privileges. This can be leveraged to escalate privileges in the context of SYSTEM.

Vulnerabilities

cirosec conducts vulnerability research into products and services, which at times results in zero-day vulnerabilities being discovered.

cirosec follows a responsible disclosure policy when dealing with zero-day vulnerabilities found during research or customer projects. The goal is to balance the need of giving the vendor or open-source project enough time to develop and distribute a fix for the vulnerability with the need of the public to know about the security vulnerability. The policy is in accordance with industry-standard responsible disclosure practices. Our responsible disclosure policy can be found here.

Below is a list of CVEs vulnerabilities identified or assigned by cirosec and presented here for reference and cataloguing.

Vulnerability	CVE	CVSS Score	Publication Date	More Details
Vulnerability in Two App Studio Journey	CVE-2025-41459	7.8 (CVSS v3.1)	July 21, 2025	Advisory
Vulnerability in Two App Studio Journey	CVE-2025-41458	5.5 (CVSS v3.1)	July 21, 2025	Advisory
Vulnerability in SYNCPILOT LIVE CONTRACT	CVE-2025-2306	5.9 (CVSS v3.1)	May 15, 2025	Advisory
Vulnerability in SYNCPILOT LIVE CONTRACT	CVE-2025-2305	8.6 (CVSS v3.1)	May 15, 2025	Advisory
Vulnerability in Elaborate Bytes Virtual Clone Drive [ext]	CVE-2025-1865	7.8 (CVSS v3.1)	April 4, 2025	Changelog
Vulnerability in Mobatek MobaXterm	CVE-2025-0714	6.5 (CVSS v3.1)	February 17, 2025	Advisory
Vulnerability in Intel AMT	CVE-2024-38307	7.7 (CVSS v3.1)	February 11, 2025	Intel
Vulnerability in G DATA Management Server [ext]	CVE-2025-0542	7.8 (CVSS v3.1)	January 24, 2025	Advisory
Vulnerability in G DATA Security Client [ext]	CVE-2025-0543	7.8 (CVSS v3.1)	January 24, 2025	Advisory
Vulnerability in Trend Micro Apex One	CVE-2024-55631	7.8 (CVSS v3.1)	January 8, 2025	Advisory, Trend Micro
Vulnerability in HP Hotkey Support	CVE-2024-27458	8.8 (CVSS v3.1)	October 4, 2024	Advisory, HP
Vulnerability in AVG Internet Security	CVE-2024-6510	7.8 (CVSS v3.1)	September 12, 2024	Advisory
Vulnerability in Overwolf	CVE-2024-7834	7.8 (CVSS v3.1)	September 4, 2024	Advisory
Vulnerability in baramundi Management Agent	CVE-2024-6689	7.8 (CVSS v3.1)	July 15, 2024	Advisory, baramundi
Vulnerability in Trend Micro Apex One	CVE-2024-36302	7.8 (CVSS v3.1)	July 1, 2024	ZDI-Advisory, Trend Micro
Vulnerability in Checkpoint Harmony	CVE-2024-24912	7.8 (CVSS v3.1)	May 1, 2024	Advisory, Checkpoint
Vulnerability in Webroot Antivirus	CVE-2023-7241	7.8 (CVSS v3.1)	May 1, 2024	Advisory, Webroot
Vulnerability in Bitdefender	CVE-2023-6154	7.8 (CVSS v3.1)	April 1, 2024	Advisory, Bitdefender
Vulnerability in neo42 Sumatra PDF Package		7.8 (CVSS v3.1)	November 7, 2023	Advisory
Vulnerability in Bytello Share		7.8 (CVSS v3.1)	November 6, 2023	Advisory
Vulnerability in Kiteworks OwnCloud	CVE-2023-7273	6.8 (CVSS v3.1)	November 4, 2023	Advisory
Vulnerability in VMware Workstation	CVE-2023-20854	7.8 (CVSS v3.1)	February 3, 2023	Advisory, VMware
Vulnerability in Remote Access Software from RealVNC	CVE-2022-41975	7.8 (CVSS v3.1)	September 30, 2022	Advisory, RealVNC

Blogs - Overview

Title	Author	Publication Date	Category
Analysis of a credential-stealer malware campaign–Part 1	C. Glätzer, K. Weyhing, F. Friedberger	May 20, 2026	Forensic
Reifegrad für Sicherheitsüberprüfungen	Michael Brügge	May 11, 2026	Pentesting
The seven seas of Kubernetes security	Christoffer Albrecht	May 5, 2026	Kubernetes
Penetration Testing LLM Web Apps: Common Pitfalls	Felix Friedberger	April 14, 2026	Pentesting
Auditieren von M365 und Azure	Constantin Wenz	March 24, 2026	Azure, EntraID
How Attackers Abuse Bubbleapps.io to Phish German Businesses	Felix Friedberger	February 10, 2026	Forensic
Windows Instrumentation Callbacks – Part 4	Lino Facco	February 10, 2026	Red Teaming, Reverse Engineering, Windows
Windows Instrumentation Callbacks – Part 3	Lino Facco	January 28, 2026	Red Teaming, Reverse Engineering, Windows
Die neue i-Kfz-App für den digitalen Fahrzeugschein	Julian Lemmerich	December 3, 2025	Digitalization, Identity, Mobile Security
Beacon Object Files for Mythic – Part 2	Leon Schmidt	November 27, 2025	Red Teaming, Command-And-Control
A collection of Shai-Hulud 2.0 IoCs	Niklas Vömel & Felix Friedberger	November 27, 2025	Forensic, Incident Handling
Beacon Object Files for Mythic – Part 1	Leon Schmidt	November 19, 2025	Red Teaming, Command-And-Control
Windows Instrumentation Callback – Part 2	Lino Facco	November 12, 2025	Red Teaming, Reverse Engineering, Windows
Windows Instrumentation Callbacks – Part 1	Lino Facco	November 5, 2025	Red Teaming, Reverse Engineering, Windows
IOCs of the npm crypto stealer supply chain incident	Niklas Vömel	September 25, 2025	Forensic, Incident Handling
Effektive Governance-Strategien im Red Teaming	Hannes Allmann	June 30, 2025	Red Teaming
The Key to COMpromise – Part 4	Alain Rödel and Kolja Grassmann	February 26, 2025	Red Teaming
The Key to COMpromise – Part 3	Alain Rödel and Kolja Grassmann	February 12, 2025	Red Teaming
The Key to COMpromise – Part 2	Alain Rödel and Kolja Grassmann	January 15, 2025	Red Teaming
TLPT: Bedrohungsorientierte Penetrationstests nach DORA	Michael Brügge	January 24, 2025	Red Teaming
The Key to COMpromise Part 1	Alain Rödel and Kolja Grassmann	January 15, 2025	Red Teaming
Wer hat das Elster-Zertifikat weitergegeben?	Benjamin Häublein	December 3, 2024	Identity
Google DoC2	Frederik Reiter	November 7, 2024	Command-and-Control, Red Teaming
Abusing Microsoft Warbird for Shellcode Execution	Jan-Luca Gruber & Frederik Reiter	November 7, 2024	Red Teaming, Reverse Engineering, Windows
Inside the NAC Pi	Leon Schmidt	July 5, 2024	Red Teaming
Loader Dev. 5 – Loading our payload	Kolja Grassmann	May 10, 2024	Red Teaming
Loader Dev. 4 – AMSI and ETW	Kolja Grassmann	April 30, 2024	Red Teaming
Loader Dev. 3 – Evading userspace hooks	Kolja Grassmann	April 10, 2024	Red Teaming
Loader Dev. 2 – Dynamically resolving functions	Kolja Grassmann	March 10, 2024	Red Teaming
Loader Dev. 1 – Basics	Kolja Grassmann	February 10, 2024	Red Teaming
Microsoft Tiering Model – Part 3/3	Hagen Molzer	January 10, 2024	AD Security
Microsoft Tiering Model – Part 2/3	Hagen Molzer	December 10, 2023	AD Security
Microsoft Tiering Model – Part 1/3	Hagen Molzer	November 10, 2023	AD Security

Your contact person

Daniela Strobel
daniela.strobel@cirosec.de
+49 7131 59455-60

Do you want to protect your systems? Feel free to get in touch with us.