CODE WHITE GmbHWe have reproduced "ToolShell", the unauthenticated exploit chain for CVE-2025-49706 + CVE-2025-49704 used by @_l0gg to pop SharePoint at #Pwn2Own Berlin 2025, it's really just one request! Kudos to @mwulftange
| https://twitter.com/mwulftange |
Markus Wulftange
@mwulftange@infosec.exchange
- 67 Followers
- 35 Following
- 20 Posts
Principal Security Researcher and Pâtissier at @codewhitesec
I'm getting confused keeping count of them, but we're almost at the double-digit mark! 😅
From: @codewhitesec
https://infosec.exchange/@codewhitesec/114241026482611250
From: @codewhitesec
https://infosec.exchange/@codewhitesec/114241026482611250
CODE WHITE GmbH (@codewhitesec@infosec.exchange)
Our crew members @mwulftange & @frycos discovered & responsibly disclosed several new RCE gadgets that bypass #Veeam's blacklist for CVE-2024-40711 & CVE-2025-23120 as well as further entry points following @SinSinology & @chudypb 's blog. Don’t blacklist - replace BinaryFormatter.
Our crew members @mwulftange & @frycos discovered & responsibly disclosed several new RCE gadgets that bypass #Veeam's blacklist for CVE-2024-40711 & CVE-2025-23120 as well as further entry points following @SinSinology & @chudypb 's blog. Don’t blacklist - replace BinaryFormatter.
Ever wondered how Kurts Maultaschenfabrikle got hacked in 2023? The full story, all technical details, out now ;-) https://apply-if-you-can.com/walkthrough/2023/
Using Telerik Reporting or Report Server? Patch now to fix 3 RCEs @mwulftange found (CVE-2024-8015, CVE-2024-8014, CVE-2024-8048). Telerik vulns have a history of being exploited by threat actors according to #CISA Details at https://code-white.com/public-vulnerability-list/
BeanBeat has been aquired by Kurts Maultaschenfabrikle! You don't know what that means? Head over to https://apply-if-you-can.com to find out in challenges that, without exception, stem from real-world vulns #uncompromisingRealism #finestHacking
Teaching the Old .NET Remoting New Exploitation Tricks – read how @mwulftange developed novel techniques to exploit Apache log4net's hardened .NET Remoting service: https://code-white.com/blog/teaching-the-old-net-remoting-new-exploitation-tricks/
CODE WHITE | Teaching the Old .NET Remoting New Exploitation Tricks
This blog post provides insights into three exploitation techniques that can still be used in cases of a hardened .NET Remoting server with `TypeFilterLevel.Low` and Code Access Security (CAS) restrictions in place. Two of these tricks are considered novel and can help in cases where ExploitRemotingService is stuck.
Another product, another deserialization vulnerability, another RCE from @mwulftange: Patch your Telerik Report Server (CVE-2024-6327 & CVE-2024-6096) https://code-white.com/public-vulnerability-list/#unknowntyperesolver-insecure-type-resolution-in-report-server
Today, CODE WHITE turns 10 🥳 Over the past decade, we've hacked our way through 120+ large corporations' defenses, caused headaches for Blue Teams, and disclosed numerous 0days to vendors. From a few motivated hackers in 2014 to an established team of 50+ today, we continuously safeguard enterprise clients with our Security Intelligence Service and are proud to make a difference 💪 #FinestHacking #PWNage
Our second blog post about ASP .NET TemplateParser exploitation is live: @mwulftange unveils how a novel bypass technique can be applied to get RCE in SharePoint Online & On-Premise (CVE-2023-33160)
https://code-white.com/blog/exploiting-asp.net-templateparser-part-2/
CODE WHITE | Exploiting ASP.NET TemplateParser — Part II: SharePoint (CVE-2023-33160)
In Part I, we dug into the internals of the ASP.NET `TemplateParser` and elaborated its capabilities in respect to exploitation. In this part, we will look into whether and how this can also be exploited to gain Remote Code Execution. While this research was originally focussed on the `TemplateParser`, the newly discovered technique was also applicable to SharePoint on-premises and SharePoint Online. So we'll elaborate on how SharePoint protects against the use of malicious code and will present a novel trick that allowed to bypass these security measures (CVE-2023-33160).