Francesco Giordano 

@[email protected]
33 Followers
44 Following
84 Posts
Casually stumbling on vulnerabilities ¯\_(ツ)_/¯


Security Engineer by day, flag dodger @JBZTeam by night 

Rants are my own.
twitterhttps://twitter.com/0xakuma
verifiedhttps://twittodon.com/share.php?t=0xakuma&[email protected]
Bloghttps://appsec.space
Francesco Giordano Aug 26, 2025

This House is Haunted:
A decade-old bug in the AION client’s housing system let Lua scripts trigger RCE.

A dive into game scripting, sandboxes, and forgotten exploits.

https://appsec.space/posts/aion-housing-exploit/

#gamedev #infosec #mmorpg

Francesco Giordano Aug 7, 2024

My keyboard was misbehaving so I had to exploit my NAS

http://appsec.space/posts/zimaos-casaos-rce/

#appsec #infosec #cybersecurity

My keyboard was misbehaving so I had to exploit my NAS

I recently received my ZimaCube: a NAS from IceWhale, the same company behind the ZimaBlade, ZimaBoard and most notably CasaOS, a UI to manage docker applications.

appsec & stuff
Francesco Giordano Jul 12, 2024

Few weeks ago I did a small code review on #CasaOS and #ZimaOS from #IceWhaleTech
Glad to say that web (2.0) vulnerabilities are still a thing 😬
Ended up reporting a bunch of them that are being fixed. One is CVE-2024-39692.

More in a blogpost soon™️

Francesco Giordano Mar 31, 2024
shellsharksMar 31, 2024

There's A LOT going on (analysis, discussion, vendor notices, etc...) related to the ongoing xz/liblzma compromise so I created a "link roundup" which centralizes and buckets a lot of the awesome links and threads I've seen flying around.

https://shellsharks.com/xz-compromise-link-roundup

I will *try* to keep this up-to-date (ish) for a few days while things are hot but I make no promises beyond that.

#cve20243094 #xz #xzbackdoor #xzorcist #supplychainattack #xz4shell #infosec #cybersecurity

xz/liblzma Compromise Link Roundup

Links to analysis, discussion and more related to the xz/liblzma compromise (CVE-2024-3094).

shellsharks
Francesco Giordano Mar 30, 2024

I wrote a post on the xz backdoor. No backdoor analysis, just considerations on what went wrong.

#cve20243094 #xz

https://appsec.space/posts/xz-backdoor

The xz backdoor from a Security Engineer persepective

As you probably already heard, the xz package got compromised. The package was used as entrypoint to inject malicious code in sshd, altering the authentication flow. This forged vulnerability is now known as CVE-2024-3094.

appsec.space
Francesco Giordano Mar 29, 2024

A #backdoor was found in xz/liblzma 5.6.0 to 5.6.1

https://www.openwall.com/lists/oss-security/2024/03/29/4

oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise

Francesco Giordano Mar 19, 2024
VissMar 18, 2024
cant wait for this to be a 'medium level finding' in nessus, and have all 6000 security taxonomies submit to gladitorial combat about its severity level and 400 years of bickering about how bad it is
Francesco Giordano Feb 29, 2024
Anyone has experience with #D2 and #ELK? I like the concept of Graph as Code, but I am slowly descending into insanity due to overlapping arrows.
Francesco Giordano Jan 3, 2024
Got Covid (again). FML.
Francesco Giordano Nov 8, 2023
Yo @vito was looking for a place to buy this sticker or get the design, do you have any?