| Blog | https://itm4n.github.io/ |
| GitHub | https://github.com/itm4n |
| Bluesky | https://bsky.app/profile/itm4n.bsky.social |
🆕 New blog post!
"BitLocker's Little Secrets: The Undocumented FVE API"
A small Windows RE adventure to figure out how to get the status and configuration of a BitLocker protected drive programmatically and without admin privileges.
Now also implemented in PrivescCheck! 🔥
👉 https://itm4n.github.io/bitlocker-little-secrets-the-undocumented-fve-api/
Yet another abuse of the missing "CrossDevice.Streaming.Source.dll" DLL!
After CVE-2025-24076 / CVE-2025-24076 found by Compass Security, Researcher Oscar Zanotti Campo found another vulnerability that he could exploit using the built-in misconfigured COM class referencing this DLL. This is CVE-2026-21508. 🔥
👉 https://0xc4r.github.io/posts/CVE-2026-21508/
👉 https://github.com/0xc4r/CVE-2026-21508_POC/
👉 https://blog.0patch.com/2026/03/micropatches-released-for-windows.html
This is my analysis (and PoC) for CVE-2026-20817, a privilege escalation in the Windows Error Reporting service.
👉 https://itm4n.github.io/cve-2026-20817-wersvc-eop/
Credit goes to Denis Faiustov and Ruslan Sayfiev for the discovery.
TL;DR A low privilege user could send an ALPC message to the WER service and coerce it to start a WerFault.exe process as SYSTEM with user-controlled arguments and options. I did not achieve arbitrary code execution, but perhaps someone knows how this can be done? 🤷♂️
This vulnerability was such a gaping hole in the Windows Error Reporting service that Microsoft completely removed the affected feature. A low privilege user could simply send a specially crafted ALPC message with a reference to a command line that the service executed with SYSTEM privileges. At least that’s what I thought initially.
Reflecting on route home from @1ns0mn1h4ck, where I predominantly focussed on technical talks after giving our first public iteration of our binary instrumentation with Frida training.
Most researchers rarely mentioned AI usage, but were often asked about this during post talk QA, where the answer was almost always along the lines of “it’s pretty bad at $this”.
In some cases there were hints that LLMs helped speed up some of the grunt work, but for anything novel, the human did the work.
This makes me wonder a bit about offensive research and the extreme automation push were facing as a whole. I worry how we are going to keep the energy to push beyond a perceived knowledge ceiling, especially when you know you need to sometimes be unreasonably persistent for good research outcomes, all while not being distracted by LLMs and their force multiplier effect.
That said, I’m encouraged to see people push that noise out of the way and continue to figure out how stuff really works, even though most of us are less sure of what the future looks like.
RegPwn was a Windows 0-day that we were using for LPE in our Red Team for a year (discovered by Filip D. In January 2025). Unfortunately it got fixed 🥲
Good bye RegPwn 🫡
It's a blog post I should have published months ago, but here we finally are.
"CVE-2025-59201 - Network Connection Status Indicator (NCSI) EoP"
Credit goes to t0zhang (on X) for the discovery.
👉 https://itm4n.github.io/cve-2025-59201-ncsi-eop/
I'd like to write more of those but it's so time-consuming. 😔
It’s been a while since I last dug into a Patch Tuesday release. With an extraordinarily high number of 177 CVEs, including 6 that were either already public or exploited in the wild, the October 2025 one seemed like a good opportunity to get back at it. The one I ended up investigating in depth was CVE-2025-59201, an elevation of privilege in the “Network Connection Status Indicator”.
One of the best blog posts I've read recently. Complex subject but very accessible explanations. Great job by Ksawery Czapczyński a.k.a. @0xXaFF.
"PatchGuard Peekaboo: Hiding Processes on Systems with PatchGuard in 2026"
leonjza 
Juanma Fernandez
James Forshaw 
