We have reproduced "ToolShell", the unauthenticated exploit chain for CVE-2025-49706 + CVE-2025-49704 used by @_l0gg to pop SharePoint at #Pwn2Own Berlin 2025, it's really just one request! Kudos to @mwulftange
CODE WHITE GmbH
178 posts
CODE WHITE GmbH
@codewhitesec
Red Teaming. Security Research. Continuous Penetration Testing. Threat Intelligence.
GIF- Bypassing .NET Serialization Binders: case studies for DevExpress (CVE-2022-28684) and Microsoft Exchange (CVE-2022-23277) by @mwulftange codewhitesec.blogspot.com/2022/06/bypass…
- CVE-2023-27532 in Veeam Backup & Replication is serious, expect exploitation attempts soon. Our teammate @mwulftange was able to develop an exploit just by using the exposed API.
- PIC your Katz! Say hello to HandleKatz, our position independent Lsass dumper abusing cloned handles, direct system calls and a modified version of minidumpwritedump() brought to you by @thefLinkk #BruCON0x0D
- Toys for red teams! Headache for blue teams? LethalHTA - a new lateral movement technique brought to you by @matthias_kaiser and @marpie0 of Code White. Check out our new blog post at codewhitesec.blogspot.com/2018/07/lethal… #wearehiring
- Better patch your Veeam Backup & Replication servers! Full system takeover via CVE-2024-40711, discovered by our very own @frycos - no technical details from us this time because this might instantly be abused by ransomware gangs code-white.com/public-vulnera…
GIF - Exploiting ASP .NET TemplateParser to get RCE in Sitecore (CVE-2023-35813) and SharePoint (CVE-2023-33160) by @mwulftange in two parts: part 1 at code-white.com/blog/exploitin… is live now and part 2 will follow in a few days...stay tuned!
- Getting RCE with a Razor! Our walk-through of CVE-2021-22941 affecting Citrix ShareFile Storage Zones Controller by @mwulftange is now live
- No public details for CVE-2018-0624? Not our style ;) Check out our new blog
- For your reading pleasure: Liferay Portal unauth'd RCE vulns affecting all versions from 6.1 to 7.2, found by our very own @mwulftange codewhitesec.blogspot.com/2020/03/lifera…
GIF - Our powerintern @testert01 strikes again, teamed up with @thefLinkk and developed SysmonEnte: a hard to detect attack on Sysmon. Check out our new blogpost:
- If you're interested in Java Deserialization Exploitation with recent JDKs, feel free to check out codewhitesec.blogspot.com/2023/04/java-e… by our very own @frycos . We'll not publish tooling but maybe this blog post pushes research(ers) into new and interesting directions...
- Even though JMX exploitation is well understood, @mwulftange and @qtc_de found new universal exploitation techniques & one of them allows to gain instant Remote Code Execution using TemplatesImpl (which is now implemented in #beanshooter)
