Publications

2025 winter challenge writeup

24/02/2026 Creating quines is a game that has always fascinated computer scientists. The journal Software: Practice and Experience dedicated an article to the subject in 1972—well before Intel released its first 32-bit x86 processor (1985). Even today, many enthusiasts continue to explore the intriguing universe of quines, such as Amy Burnett with her impressive JPEG Hash Quine or Yusuke Endoh’s legendary Uroboros Quine. In 2025, Synacktiv carried on this tradition by proposing two new variations of this type of puzzle: OCInception and Quinindro...

Beyond ACLs: Mapping Windows Privilege Escalation Paths with BloodHound

02/02/2026 Windows privileges are special rights that grant processes the ability to perform sensitive operations. Some privileges allow bypassing standard Access Control List (ACL) checks, which can lead to significant security implications. While privileges like SeDebugPrivilege, SeImpersonatePrivilege or SeBackupPrivilege are frequently used by attackers to escalate their privileges, it is also possible for defenders to leverage logon rights privileges to limit lateral movement. With our pull requests in BloodHound, SharpHound and SharpHound...

On the clock: Escaping VMware Workstation at Pwn2Own Berlin 2025

23/01/2026 At Pwn2Own Berlin 2025, we exploited VMware Workstation by abusing a Heap-Overflow in its PVSCSI controller implementation. The vulnerable allocation landed in the LFH allocator of Windows 11, whose exploit mitigations posed a major challenge. We overcame this through a complex interplay of techniques: defeating the LFH randomization using a side-channel; shaping and carefully preserving an exploitable heap layout; and abusing subtle behaviors of the vulnerable function to create powerful primitives. Ultimately, the exploit worked on ...

Wireless-(in)Fidelity: Pentesting Wi-Fi in 2025

14/01/2026 Despite the advancements that have been made in Wi-Fi security with the arrival of WPA3, some misconfigurations and legacy protocols still remain. In this blogpost, we share insights into Wi-Fi related findings encountered during penetration testing engagements. We will present compromise methods, addressing both common scenarios and less conventional ones. The purpose of this article is to present a range of the most commonly useful attack methods in Wi-Fi penetration testing. By improving the understanding of these attacks, we hope ...

Livewire: remote command execution through unmarshaling

23/12/2025 Livewire revolutionizes Laravel development by enabling real-time, interactive web interfaces using only PHP and Blade, removing the need of heavy JavaScript frameworks. Its innovative hydration system seamlessly instantiate and restores component states, supporting complex data types. However, this mechanism comes with a critical vulnerability: a dangerous unmarshalling process can be exploited as long as an attacker is in possession of the APP_KEY of the application. By crafting malicious payloads, attackers can manipulate Livewire...

Exploiting Anno 1404

16/12/2025 Anno 1404 is a strategy game developed by Related Designs and published by Ubisoft. It is a real-time strategy game that focuses on city management and construction. The Anno 1404: Venice expansion, released in 2010, includes an online and local area network multiplayer mode. During our research, we discovered several vulnerabilities that, when combined, allow for arbitrary code execution from within the multiplayer mode.

ActivID administrator account takeover : the story behind HID-PSA-2025-002

12/12/2025 In September 2025, we were asked by one of our clients to focus on a specific product: ActivID Appliance by HID. According to the vendor, this product is used worldwide to secure access to critical infrastructure and data. It supports a wide range of authentication methods including push authentication, OTP, PKI credentials, and static credentials. In this article we will walk you through the methodology we used to discover HID-PSA-2025-002, an authentication bypass in the SOAP API that can lead to administrative access on the applica...

2025 Winter Challenge: Quinindrome

01/12/2025 A few months have passed and the first snowflakes have fallen since the end of the Synacktiv Summer Challenge. This event was a success, with one of the participants even finding a zero-day vulnerability while working on his solution! Although it hasn't been made public yet, it will be covered in an upcoming article on the Synacktiv website. As winter is coming, it's now time to introduce the Synacktiv Winter Challenge! Join other participants in this code golf contest and send us your solution before January 1st 🏌️. 

Breaking the BeeStation: Inside Our Pwn2Own 2025 Exploit Journey

27/11/2025 This article documents our successful exploitation at Pwn2Own Ireland 2025 against the BeeStation Plus. We walk through the full vulnerability research process, including attack surface enumeration, code auditing, exploit development, and ultimately obtaining a root shell on the target.

Site Unseen: Enumerating and Attacking Active Directory Sites

05/11/2025 Active Directory Sites are a feature allowing to optimize network performance and bandwidth usage in AD internal environments. They are commonly implemented by large, geographically dispersed organizations spanning across multiple countries or continents. Sites did not receive much attention by the Active Directory offensive research community, comparatively to other ACL-based attack vectors. This article aims to demonstrate that not only do attack vectors targeting Active Directory sites exist, but that they can lead to impactful pr...