Publications

Exploiting the Tesla Wall Connector from its charge port connector - Part 2: bypassing the anti-downgrade

12/05/2026 In a previous article, we presented an attack against the Tesla Wall Connector Gen 3 used during Pwn2Own Automotive 2025. The exploit chain relied on a simple fact: there was no anti-downgrade mechanism. Once we could speak UDS over the charging cable, we could just write an old, vulnerable firmware to the passive slot, reboot, and pop the debug shell. Tesla then shipped a firmware update that adds an anti-downgrade check to the update routine. Every firmware image now carries a security ratchet value, and the updater refuses any ima...

Make it Blink: Over-the-Air Exploitation of the Philips Hue Bridge

06/05/2026 The year-end edition of Pwn2Own took place in Cork, Ireland. For the first time, this event featured smart home devices, including the Amazon Smart Plug, Home Assistant Green, and the Philips Hue Bridge. The attack scenario defined by the ZDI involved an adversary with access to services listening on the local network, or launching an attack via a proximity network (Wi-Fi, Bluetooth, Zigbee). This article details the research conducted on the Philips Hue Bridge to achieve remote code execution (RCE) from the Zigbee network.

Bypassing Windows authentication reflection mitigations for SYSTEM shells - Part ②

30/04/2026 In part 1 of this blogpost series, we proved our initial theory that the patch for CVE-2025-33073 was insufficient, by disclosing a trivial NTLM reflection vulnerability leading to LPE. In this second part, we turn to Kerberos and explain how we achieved a full-blown RCE primitive as a domain user, via a completely novel Kerberos authentication coercion technique that abuses discrepancies in how different Windows components handle Unicode characters. Our research finally puts an end to authentication reflection vulnerabilities targe...

Bypassing Windows authentication reflection mitigations for SYSTEM shells - Part 1

27/04/2026 A year ago, authentication reflection vulnerabilities resurfaced as a powerful attack vector through the discovery of CVE-2025-33073 by several security researchers, including us. This logical vulnerability allowed taking over almost any Windows machine without any user interaction. Following our analysis and the official patch by Microsoft, we had a gut feeling that the root cause of the issue was still not addressed. This two-part blogpost will cover our journey to bypass the mitigations, which led to the discovery of two new authe...

Say hi to Pike!

23/04/2026 In this article we will introduce Pike, an experimental LLM agent that generates and analyzes Linux program execution traces. We will show that with its simple architecture paired with a good LLM, Pike can quickly help debug a crash, identify malware, or give valuable high level insights via a natural chat interface.

Hooking Windows Named Pipes

21/04/2026 During security assessments, we often see desktop applications composed of several processes. Some of them run as SYSTEM, and others run in the user session context, meaning they are unprivileged. These processes need to communicate in some way, and often use Windows Named Pipes as IPC mechanisms (Inter-Process-Communication). Once opened, named pipes are a (usually) bidirectional communication channel, just like TCP or Websocket, that may be used by a low privileged process to attack an elevated process.

Kubernetes forensics 1/3: what the container ?

26/03/2026 In 2025, Synacktiv CSIRT observed a significant rise in attacks and compromises targeting Kubernetes environments. The consensus is that these attacks are bound to keep expanding as much as the technology itself. To better understand how a Kubernetes cluster works and how to investigate one during a security incident, we decided to work on a series of articles about Kubernetes forensics. This one is the first of the series, focusing on the underlying container technology.

Exploring cross-domain & cross-forest RBCD

23/03/2026 The Resource-based Constrained Delegation (RBCD) attack is well-known from pentesters and attackers: by editing the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of a machine account, an attacker can impersonate users on said machine. Even though this attack mechanism has been thorougly documented on a single domain, and can be performed with Impacket or Rubeus, only a few resources mention its implementation on cross-domain and cross-forest environments. In this article, we present the cross-domain and cross-forest RBCD workflow...

Deep-dive into the deployment of an on-premise low-privileged LLM server

20/03/2026 In 1826, children fantasized riding horses in the Wild West. In 1926, it was outrunning the law as a moonshiner. In 2026, managing distributed inference servers without leaking all the company data is surely a universal dream among the new generation. This article rewinds our journey deploying an on-premise LLM server, with a critical eye on the underlying stack security.

mitmproxy for fun and profit: Interception and Analysis of Application Traffic

02/03/2026 A solid understanding of the protocols used by applications is a necessary prerequisite when assessing application security. In recent projects, we have had to intercept various types of network traffic across different platforms, including Linux, Android, and iOS. The purpose of this article is to introduce the mitmproxy tool and how to use it, as well as the different techniques that can be implemented to effectively intercept these communications, while taking into account the specific characteristics of each environment.