Blog for ToolShell
Disclaimer: The content of this blog is provided for educational and informational purposes only.
blog.viettelcybersecurity.com/sharepoint-too…
#SharePoint #ToolShell
Khoa Dinh
80 posts
- CVE-2022-47966, a SAML bug lead to Pre-Auth RCE. ManageEngine got hit, >10 products (Including ADSelfService Plus, ADAudit Plus, AppManager, PMP, ServiceDesk,..) is vulnerable when SAML is enabled or even is configured. manageengine.com/security/advis… #CVE-2022-47966 #SAML
- This is what happened to ManageEngine. In this blog: - Some XSLT transform location. - CVE-2014-0107 is as critical as CVE-2022-34169. - Not only ManageEngine products affected. Finally, what I can do when vendors are delaying advisory for a fixed bug? blog.viettelcybersecurity.com/saml-show-stop…
- The SharePoint patch for Pwn2Own Berlin has been released - patch ASAP The exploit need only one request💣 I’d name this bug ToolShell - ZDI did say the endpoint is ToolPane after all😅 zerodayinitiative.com/advisories/ZDI… #CVE_2025_49706 #CVE_2025_49704 #SharePoint #Pwn2Own
- VMware vCenter earlier versions Arbitrary File Read + SSRF + XSS
- While waiting for the Pwn2Own chain, you might want to read this. Disclaimer: This is a bug I discovered by accident, and already been resolved. I’m not sure which CVE or patch this maps to. If you know any information, please feel free to leave a comment blog.viettelcybersecurity.com/sharepoint_pro…
- Turn out CVE-2025-53770 is mine. I report it to MSRC after July patch released. @msftsecresponse say it OutofScope because I use the same deser payload at different endpoint which they weren’t aware of. I tried my best to mitigate the exploit and all I got is a thank, nice reward
- It's a blind SSRF, but it is pre-auth msrc.microsoft.com/update-guide/e…
- Write-up cho bài đăng của anh @tuo4n8. Chuyện đã lâu rồi có nhiều thứ mình không còn nhớ. - No outbound Gadgets for CVE-2019-16891. - New JDBC attack chain. For English speakers, please use Google Translate.
- Replying to @thezdiFunny things: Me thinking two mspaint process is easier to find in details tab. ZDI: Ctrl+f to find the process :)))
- Viettel Cyber Security Press Release for Customer alert, Latest research and Recommendations. Blog is comming viettelsecurity.com/microsoft-shar… #SharePoint #ToolShell
- If you know any affected plugin, please leave a comment.Our team member @_l0gg published the analysis of CVE-2022-0540 authentication bypass in Jira Seraph with some impacted plugins. Sadly he couldn't have his reports accepted for some bug bounty programs. blog.viettelcybersecurity.com/cve-2022-0540-…
- The bug in my previous blog is CVE-2024-38018 of @chudyPB 🫡. Really want to update the blog & tweet but I can't 😅Writeup of my SharePoint RCE: CVE-2024-38018. ZDI decided not to publish the blog and I didn't find time to write a new one 😅 Enjoy @_l0gg analysis!zerodayinitiative.comZDI-24-1204Microsoft SharePoint SPThemes Deserialization of Untrusted Data Remote Code Execution Vulnerability
- Replying to @_l0ggFAQ: - Why run mspaint? I can't be onsite, so the static payload can run on any OS. ysoserial require windows - Why it take two attempt at Pwn2Own? At first attempt the command to run the exploit is missing the siteurl part :)) I'm writing the blog, this is it right now:
