Last week I gave a talk at #TROOPERS26: Integrating Incident Analysis and Digital Forensics Tooling for Automated Compromise Detection. I discussed the challenges of incident analysis, such as increasing storage capacities and the lack of integration between tools. I presented a modular framework that Continue reading “TROOPERS26: Integrating Incident Analysis and Digital Forensics Tooling for Automated Compromise Detection”
Continue readingHeads-up: TROOPERS Roundtable – Supply Chain Security
How to strengthen Supply Chain Security: Practical Exchange and Roadmap
Join an open, practitioner-focused roundtable for direct exchange on supply chain security. This session offers a concise overview of core concepts, e.g. SBOM, CSAF, and VEX and digs into the processes behind them: how to obtain, process and apply information to improve security across the supply chain.
Continue reading “Heads-up: TROOPERS Roundtable – Supply Chain Security”
Continue readingVulnerability Disclosure: Stealing Emails via Firefox’s AI Features
Imagine the following: You visit a webpage with a lot of text you don’t want to read and ask your AI assistant for a summary. A few moments later, the AI assistant has extracted one of your emails and sent it to an attacker without you ever knowing.
In October 2025, we found exactly this vulnerability in Firefox’s AI chatbot integration1.
Continue reading “Vulnerability Disclosure: Stealing Emails via Firefox’s AI Features”
Continue readingInsights into Entra ID’s (Un)Conditional Access
When looking at security measures in Microsoft Entra ID environments, a common recommendation is to implement Conditional Access policies.
Whether Conditional Access is implemented can be quickly checked, and you can put a check mark next to it in your best-practice compliance form. However, simply implementing conditional access will not provide much security. A phishing attack that we recently analyzed highlights this very well.
Continue reading “Insights into Entra ID’s (Un)Conditional Access”
Continue readingCVE-2026-47237 – Overly Permissive Istio Permissions Allow Kubeflow Authorization Token Stealing
Kubeflow is vulnerable to the theft of authorization tokens by any user of the Kubeflow UI or APIs, such as the Dashboard, Pipelines API, or Notebooks. With this token, the attacker can take over the user’s account and the data that is processed by that user. The attacker needs a valid user with the kubeflow-edit or Contributor role in a random Kubeflow namespace to perform this attack. This is given if Automatic Profile Creation is enabled. A setup based on the official manifests prior to version 1.10, and on most other packaged Kubeflow distributions, is vulnerable.
The Istio edit permissions were removed by Kubeflow in a timely manner. Affected users should update to the latest version to mitigate this issue.
Continue readingERNW White Paper 77: Unified Security Hardening with Cross-Platform Native Binaries
When configuring a new device, achieving an acceptable Lynis hardening score is a challenge most practitioners are familiar with.
Navigating its recommendations often requires significant background knowledge, leaving administrators without clear guidance on which settings are vulnerable and how to remediate them effectively.
We believe that security hardening should be insightful and accessible, a philosophy that drove this research and the development of our tool, Hardener, built around three identified deficits in established frameworks:
ERNW White Paper 76: Linux Client Hardening Guide
Hardening a Linux client system to an acceptable degree is a time-consuming process, one that demands familiarity with a broad set of configuration parameters, framework recommendations, and the reasoning behind each control.
This post introduces our new Linux client hardening guide (MD, PDF), a comprehensive, publicly available hardening reference for Linux systems.
Continue reading “ERNW White Paper 76: Linux Client Hardening Guide”
Continue readingWhen paradigms are shifting: InfoSec in the age of AI
Over the last few weeks, I have had a very productive exchange with Christoph Klaassen on the impact of AI on security governance and compliance. In this post, we summarize our thoughts.
When the Perimeter Dissolves: InfoSec in the Age of Agentic AI
There’s an old saying among hackers coined by Dr. Eugene Spafford: “The only truly secure system is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.”1
It was a joke, a wry nod to the impossibility of perfect security. But here’s the thing: the joke doesn’t land anymore. Because in the world we’re building right now, the systems don’t stay powered off. They reason. They plan. They act. And they do it faster than any human security team can keep up.
Welcome to the age of agentic AI. If you work in Information Security Management and/or Governance, Risk & Compliance, this is the inflection point you may have been sensing in your gut for months.
Continue reading “When paradigms are shifting: InfoSec in the age of AI”
Continue readingDisclosure: Command Injection in Geutebrück Cameras
During a penetration test for a customer, we identified a command injection vulnerability in Geutebrück security cameras that allows authenticated attackers to execute arbitrary commands as root through the web interface. The root cause is unsanitized user input being passed into a sed script (and at least 12 other CGI endpoints). In addition to the injection, we identified an XSS vulnerability, an exposed system menu leaking configuration and log data, and an insecure GET-parameter-to-environment-variable mapping that enables abuse of variables like LD_PRELOAD and LD_DEBUG. We reported the findings to Geutebrück and a patched firmware was provided. This post walks through how we got from a sed error message to a root shell.
Geutebrück cameras are used as security cameras for enterprises, industry, and critical infrastructure, and support video streaming and configuration via a web interface. If the web interface is compromised, attackers can manipulate the video stream, potentially having a high impact on physical security, as they could use it to display fake images and videos to hide the camera’s real feed.
Continue reading “Disclosure: Command Injection in Geutebrück Cameras”
Continue readingWindows Early Boot Configuration: The CmControlVector and PspSystemMitigationOptions
While investigating how process mitigation settings are initialized, I encountered the global variable PspSystemMitigationOptions. Tracing how this value is populated led me to the CmControlVector. In this blog post, we take a look at the Windows kernel land configuration manager, especially its global CmControlVector variable. Quick note: the kernel’s configuration manager is not related to Microsoft Intune’s Configuration Manager. In short, the configuration manager is responsible for managing and implementing the registry. However, it is also responsible for setting up parts of the system during early boot.