Clément Labro

@[email protected]
984 Followers
149 Following
140 Posts
Pentest & Windows security research
Bloghttps://itm4n.github.io/
GitHubhttps://github.com/itm4n
Blueskyhttps://bsky.app/profile/itm4n.bsky.social
Clément Labro4d ago
Juanma Fernandez4d ago

RegPwn was a Windows 0-day that we were using for LPE in our Red Team for a year (discovered by Filip D. In January 2025). Unfortunately it got fixed 🥲

Good bye RegPwn 🫡

https://www.mdsec.co.uk/2026/03/rip-regpwn/

RIP RegPwn - MDSec

13th March 2026 As part of MDSec’s R&D work, we often discover vulnerabilities and develop exploits to support our red team engagements. When researching widely used software, it is often...

MDSec
Clément LabroFeb 26
James Forshaw Feb 26
My final blog related to admin protection is up. https://projectzero.google/2026/02/gphfh-deep-dive.html I go into a bit of history of the interesting GetProcessHandleFromHwnd API, how it ended up allow you to bypass protected process restrictions and how it's now "fixed".
A Deep Dive into the GetProcessHandleFromHwnd API - Project Zero

In my previous blog post I mentioned the GetProcessHandleFromHwnd API. This was an API I didn’t know existed until I found a publicly disclosed UAC bypass us...

Clément LabroFeb 24

It's a blog post I should have published months ago, but here we finally are.

"CVE-2025-59201 - Network Connection Status Indicator (NCSI) EoP"

Credit goes to t0zhang (on X) for the discovery.

👉 https://itm4n.github.io/cve-2025-59201-ncsi-eop/

I'd like to write more of those but it's so time-consuming. 😔

#cve #windows

CVE-2025-59201 - Network Connection Status Indicator (NCSI) EoP

It’s been a while since I last dug into a Patch Tuesday release. With an extraordinarily high number of 177 CVEs, including 6 that were either already public or exploited in the wild, the October 2025 one seemed like a good opportunity to get back at it. The one I ended up investigating in depth was CVE-2025-59201, an elevation of privilege in the “Network Connection Status Indicator”.

itm4n’s blog
Clément LabroFeb 13
James Forshaw Feb 13
Released the second part of my blog post series on Admin Protection. This time it's about how most of the bugs I found came about due to abusing UI Access which was overlooked as UAC bypasses because, well, they were UAC bypasses. https://projectzero.google/2026/02/windows-administrator-protection.html
Bypassing Administrator Protection by Abusing UI Access - Project Zero

In my last blog post I introduced the new Windows feature, Administrator Protection and how it aimed to create a secure boundary for UAC where one didn’t exi...

Clément LabroJan 27
James Forshaw Jan 26
My first blog post on Windows Administrator Protection is out. https://projectzero.google/2026/26/windows-administrator-protection.html probably the most interesting and complex bug out of the 9 I found, but that doesn't mean the rest weren't interesting as well, stay tuned :D
Bypassing Windows Administrator Protection - Project Zero

A headline feature introduced in the latest release of Windows 11, 25H2 is Administrator Protection. The goal of this feature is to replace User Account Cont...

Clément LabroJan 15

One of the best blog posts I've read recently. Complex subject but very accessible explanations. Great job by Ksawery Czapczyński a.k.a. @0xXaFF.

"PatchGuard Peekaboo: Hiding Processes on Systems with PatchGuard in 2026"

https://www.outflank.nl/blog/2026/01/07/patchguard-peekaboo-hiding-processes-on-systems-with-patchguard-in-2026/

Clément LabroDec 17
James Forshaw Dec 16
Project Zero have finally got around to updating the blog to something less blogger-esc, check it out at https://projectzero.google. To coincide with this momentous occasion I dug out the draft of my blog post about Windows Object Manager performance which became the basis of my article in PoC||GTFO #13 and updated it to see if it still worked in Windows 11. You can read it at https://projectzero.google/2025/12/windows-exploitation-techniques.html
Google Project Zero

Make zeroday hard

Clément LabroDec 7
leonjza Dec 7

Two blog posts just dropped - one with the details on the bloatware pwning shenanigans I was up to earlier in the year, and another on pipetap, a new Windows named pipe proxy/tool.

https://sensepost.com/blog/2025/pwning-asus-driverhub-msi-center-acer-control-centre-and-razer-synapse-4/

https://sensepost.com/blog/2025/pipetap-a-windows-named-pipe-proxy-tool/

Clément LabroOct 23
/r/netsecOct 23
Privescing a Laptop with BitLocker + PIN https://www.errno.fr/Bitlocker_TPM_and_PIN_privesc
Privescing a Laptop with BitLocker + PIN

Guillaume Quéré
Clément LabroOct 14

A nice and short blog post about blinding EDR with WFP by my colleague Florian.

"Blinding EDRs: A deep dive into WFP manipulation"

https://blog.scrt.ch/2025/08/25/blinding-edrs-a-deep-dive-into-wfp-manipulation/

Blinding EDRs: A deep dive into WFP manipulation – SCRT Team Blog