#exploit
#Fuzzing
#AppSec
A Fuzzy Escape - A tale of vulnerability research on hypervisors (CVE-2025-30712)
https://bughunters.google.com/blog/5800341475819520/a-fuzzy-escape-a-tale-of-vulnerability-research-on-hypervisors
// The research uncovered critical VM escape vulnerabilities in QEMU and VirtualBox through static analysis and fuzzing, including a buffer overflow and an integer overflow enabling arbitrary code execution
⭐️ @Zerosec_team
#Fuzzing
#AppSec
A Fuzzy Escape - A tale of vulnerability research on hypervisors (CVE-2025-30712)
https://bughunters.google.com/blog/5800341475819520/a-fuzzy-escape-a-tale-of-vulnerability-research-on-hypervisors
// The research uncovered critical VM escape vulnerabilities in QEMU and VirtualBox through static analysis and fuzzing, including a buffer overflow and an integer overflow enabling arbitrary code execution
⭐️ @Zerosec_team
Google
Blog: A Fuzzy Escape - A tale of vulnerability research on hypervisors
This blog post describes the journey of discovering a VM escape bug with the goal of demystifying the security research process and demonstrating how persistence and pivoting can lead to achieving successful exploitation.
❤2🔥2
#exploit
#AppSec
1⃣ Dell UnityVSA Pre-Auth Command Injection (CVE-2025-36604)
https://labs.watchtowr.com/its-never-simple-until-it-is-dell-unityvsa-pre-auth-command-injection-cve-2025-36604
2⃣ Authentication Bypass in the Rest API via XSS on Safari and Chrome (iOS/iPhone)
https://bugcrowd.com/disclosures/d5f4aa80-77da-49bb-a259-afe23b6bfa0a/authentication-bypass-in-the-rest-api-via-xss-on-safari-and-chrome-ios-iphone-only
3⃣ Arbitrary Code Execution in Android Unity Runtime (CVE-2025-59489)
https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime
// Atlassian Confluence AuthN Bypass in the API via XSS on iOS Safari and Chrome
4⃣ Abusing the NinjaShell API for Code Execution in Google Web Designer
https://sudistark.github.io/2025/09/23/RCE-in-web-designer.html
⭐️ @Zerosec_team
#AppSec
1⃣ Dell UnityVSA Pre-Auth Command Injection (CVE-2025-36604)
https://labs.watchtowr.com/its-never-simple-until-it-is-dell-unityvsa-pre-auth-command-injection-cve-2025-36604
2⃣ Authentication Bypass in the Rest API via XSS on Safari and Chrome (iOS/iPhone)
https://bugcrowd.com/disclosures/d5f4aa80-77da-49bb-a259-afe23b6bfa0a/authentication-bypass-in-the-rest-api-via-xss-on-safari-and-chrome-ios-iphone-only
3⃣ Arbitrary Code Execution in Android Unity Runtime (CVE-2025-59489)
https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime
// Atlassian Confluence AuthN Bypass in the API via XSS on iOS Safari and Chrome
4⃣ Abusing the NinjaShell API for Code Execution in Google Web Designer
https://sudistark.github.io/2025/09/23/RCE-in-web-designer.html
⭐️ @Zerosec_team
watchTowr Labs
It's Never Simple Until It Is (Dell UnityVSA Pre-Auth Command Injection CVE-2025-36604)
Welcome back, and what a week! We’re glad that happened for you and/or sorry that happened to you. It will get better and/or worse, and you will likely survive.
Today, we’re walking down the garden path and digging into the archives, publishing our analysis…
Today, we’re walking down the garden path and digging into the archives, publishing our analysis…
❤3👍1