Mastodawn

This is my analysis (and PoC) for CVE-2026-20817, a privilege escalation in the Windows Error Reporting service.

👉 https://itm4n.github.io/cve-2026-20817-wersvc-eop/

Credit goes to Denis Faiustov and Ruslan Sayfiev for the discovery.

TL;DR A low privilege user could send an ALPC message to the WER service and coerce it to start a WerFault.exe process as SYSTEM with user-controlled arguments and options. I did not achieve arbitrary code execution, but perhaps someone knows how this can be done? 🤷‍♂️

CVE-2026-20817 - Windows Error Reporting Service EoP

This vulnerability was such a gaping hole in the Windows Error Reporting service that Microsoft completely removed the affected feature. A low privilege user could simply send a specially crafted ALPC message with a reference to a command line that the service executed with SYSTEM privileges. At least that’s what I thought initially.

itm4n’s blog

Manu 2h ago

dragosr 1d ago

A walkthrough on patching Dell UEFI firmware at the SPI flash level to disable pre-boot DMA protection — bypassing the BIOS password entirely. The interesting part: the UEFI UI still reports the setting as enabled, and TPM measured boot doesn't detect the NVRAM change, so BitLocker unlocks normally. The patch also persists through official Dell BIOS updates. From there it's DMAReaper to kill IOMMU + PCILeech for a SYSTEM shell. Significant measured boot policy gap. https://www.mdsec.co.uk/2026/03/disabling-security-features-in-a-locked-bios/

Disabling Security Features in a Locked BIOS - MDSec

Overview This post explores how modifying a Dell UEFI firmware image at the flash level can fundamentally undermine platform security without leaving visible traces in the firmware interface. By directly...

MDSec

Manu 2h ago

If you ever need to update headers like cookies from within the repeater tab of Burp but do not want to manually copy the newest cookies, I have you covered.

https://portswigger.net/bappstore/4bebc64c95554d9fa71e5ffd1d67b400

Quick Update Headers

Refresh individual request headers with the latest values from the same host.

Manu Mar 18

Dave Mar 18

Published the writeup for the authenticated SQL injection vulnerability in Kanboard - CVE-2026-33058.

https://0dave.ch/posts/cve-2026-33058/
https://www.cve.org/CVERecord?id=CVE-2026-33058
https://github.com/kanboard/kanboard/security/advisories/GHSA-f62r-m4mr-2xhh

#webappsec #cve #sqli

Kanboard CVE-2026-33058 Writeup

Walkthrough of the discovery of an authenticated SQL injection in Kanboard version <= 1.2.50 tracked as CVE-2026-33058

0dave

Manu Mar 11

Lenovo released all patches for the Vantage vulnerabilities I reported earlier this year. The blog has been updated with write‑ups for CVE-2025-13154, CVE-2026-1715, CVE-2026-1716, and CVE-2026-1717.

https://cyllective.com/blog/posts/lenovo-vantage

Vulnerabilities in Lenovo Vantage

A write-up of CVE-2025-13154, CVE-2026-1715, CVE-2026-1716, and CVE-2026-1717

Show thread

Manu Feb 9

There are probably more vulns to be found, especially in the parts that I did not look at. Passing the torch to all the other researcherz.

Manu Feb 9

First research in a while! Here's my brain dump on reverse-engineering and auditing Lenovo Vantage. In total, I found four (4) vulns. Check out the post and my custom tooling if you're interested.

https://mkiesel.ch/posts/lenovo-vantage/

roll with advantage: hacking lenovo vantage | mkiesel.ch

A technical deep dive into the lands of Lenovo Vantage and its add-ins, including tooling to help you hunt for vulnerabilities

Manu Feb 2

Nobody asked for them, but here are my uBlock rules to slim down Twitter/X, Bluesky, and Mastodon. They disable fancy features and make it so that basically there are only the options to post and to view your "following" feed. No more distractions!

https://gist.github.com/rtfmkiesel/1b715971be97cfb50bb284748f497248