It turns out, you can escape Earth, but you cannot escape shitty MS office
| Website | https://mkiesel.ch |
Manu
- 104 Followers
- 72 Following
- 13 Posts
häcker
Clément LabroThis is my analysis (and PoC) for CVE-2026-20817, a privilege escalation in the Windows Error Reporting service.
👉 https://itm4n.github.io/cve-2026-20817-wersvc-eop/
Credit goes to Denis Faiustov and Ruslan Sayfiev for the discovery.
TL;DR A low privilege user could send an ALPC message to the WER service and coerce it to start a WerFault.exe process as SYSTEM with user-controlled arguments and options. I did not achieve arbitrary code execution, but perhaps someone knows how this can be done? 🤷♂️
CVE-2026-20817 - Windows Error Reporting Service EoP
This vulnerability was such a gaping hole in the Windows Error Reporting service that Microsoft completely removed the affected feature. A low privilege user could simply send a specially crafted ALPC message with a reference to a command line that the service executed with SYSTEM privileges. At least that’s what I thought initially.
dragosrA walkthrough on patching Dell UEFI firmware at the SPI flash level to disable pre-boot DMA protection — bypassing the BIOS password entirely. The interesting part: the UEFI UI still reports the setting as enabled, and TPM measured boot doesn't detect the NVRAM change, so BitLocker unlocks normally. The patch also persists through official Dell BIOS updates. From there it's DMAReaper to kill IOMMU + PCILeech for a SYSTEM shell. Significant measured boot policy gap. https://www.mdsec.co.uk/2026/03/disabling-security-features-in-a-locked-bios/
If you ever need to update headers like cookies from within the repeater tab of Burp but do not want to manually copy the newest cookies, I have you covered.
https://portswigger.net/bappstore/4bebc64c95554d9fa71e5ffd1d67b400
DavePublished the writeup for the authenticated SQL injection vulnerability in Kanboard - CVE-2026-33058.
https://0dave.ch/posts/cve-2026-33058/
https://www.cve.org/CVERecord?id=CVE-2026-33058
https://github.com/kanboard/kanboard/security/advisories/GHSA-f62r-m4mr-2xhh
Lenovo released all patches for the Vantage vulnerabilities I reported earlier this year. The blog has been updated with write‑ups for CVE-2025-13154, CVE-2026-1715, CVE-2026-1716, and CVE-2026-1717.
There are probably more vulns to be found, especially in the parts that I did not look at. Passing the torch to all the other researcherz.
First research in a while! Here's my brain dump on reverse-engineering and auditing Lenovo Vantage. In total, I found four (4) vulns. Check out the post and my custom tooling if you're interested.
Nobody asked for them, but here are my uBlock rules to slim down Twitter/X, Bluesky, and Mastodon. They disable fancy features and make it so that basically there are only the options to post and to view your "following" feed. No more distractions!
https://gist.github.com/rtfmkiesel/1b715971be97cfb50bb284748f497248
Insomni'hackThe #Insomnihack 2026 talks are LIVE! Top-tier speakers. Real-world security research.
Check out the full talks lineup and register now 👇
https://insomnihack.ch/?utm_source=mastodon&utm_medium=image&utm_campaign=Insomnihack2026&utm_content=2901
Seats are limited so don’t miss it!
#InsomniHack #Cybersecurity #Infosec #INSO2026 #CyberConferences
Check out the full talks lineup and register now 👇
https://insomnihack.ch/?utm_source=mastodon&utm_medium=image&utm_campaign=Insomnihack2026&utm_content=2901
Seats are limited so don’t miss it!
#InsomniHack #Cybersecurity #Infosec #INSO2026 #CyberConferences
