Publications

Beyond ACLs: Mapping Windows Privilege Escalation Paths with BloodHound

02/02/2026 Windows privileges are special rights that grant processes the ability to perform sensitive operations. Some privileges allow bypassing standard Access Control List (ACL) checks, which can lead to significant security implications. While privileges like SeDebugPrivilege, SeImpersonatePrivilege or SeBackupPrivilege are frequently used by attackers to escalate their privileges, it is also possible for defenders to leverage logon rights privileges to limit lateral movement. With our pull requests in BloodHound, SharpHound and SharpHound...

On the clock: Escaping VMware Workstation at Pwn2Own Berlin 2025

23/01/2026 At Pwn2Own Berlin 2025, we exploited VMware Workstation by abusing a Heap-Overflow in its PVSCSI controller implementation. The vulnerable allocation landed in the LFH allocator of Windows 11, whose exploit mitigations posed a major challenge. We overcame this through a complex interplay of techniques: defeating the LFH randomization using a side-channel; shaping and carefully preserving an exploitable heap layout; and abusing subtle behaviors of the vulnerable function to create powerful primitives. Ultimately, the exploit worked on ...

Wireless-(in)Fidelity: Pentesting Wi-Fi in 2025

14/01/2026 Despite the advancements that have been made in Wi-Fi security with the arrival of WPA3, some misconfigurations and legacy protocols still remain. In this blogpost, we share insights into Wi-Fi related findings encountered during penetration testing engagements. We will present compromise methods, addressing both common scenarios and less conventional ones. The purpose of this article is to present a range of the most commonly useful attack methods in Wi-Fi penetration testing. By improving the understanding of these attacks, we hope ...

Livewire: remote command execution through unmarshaling

23/12/2025 Livewire revolutionizes Laravel development by enabling real-time, interactive web interfaces using only PHP and Blade, removing the need of heavy JavaScript frameworks. Its innovative hydration system seamlessly instantiate and restores component states, supporting complex data types. However, this mechanism comes with a critical vulnerability: a dangerous unmarshalling process can be exploited as long as an attacker is in possession of the APP_KEY of the application. By crafting malicious payloads, attackers can manipulate Livewire...

Exploiting Anno 1404

16/12/2025 Anno 1404 is a strategy game developed by Related Designs and published by Ubisoft. It is a real-time strategy game that focuses on city management and construction. The Anno 1404: Venice expansion, released in 2010, includes an online and local area network multiplayer mode. During our research, we discovered several vulnerabilities that, when combined, allow for arbitrary code execution from within the multiplayer mode.

ActivID administrator account takeover : the story behind HID-PSA-2025-002

12/12/2025 In September 2025, we were asked by one of our clients to focus on a specific product: ActivID Appliance by HID. According to the vendor, this product is used worldwide to secure access to critical infrastructure and data. It supports a wide range of authentication methods including push authentication, OTP, PKI credentials, and static credentials. In this article we will walk you through the methodology we used to discover HID-PSA-2025-002, an authentication bypass in the SOAP API that can lead to administrative access on the applica...

2025 Winter Challenge: Quinindrome

01/12/2025 A few months have passed and the first snowflakes have fallen since the end of the Synacktiv Summer Challenge. This event was a success, with one of the participants even finding a zero-day vulnerability while working on his solution! Although it hasn't been made public yet, it will be covered in an upcoming article on the Synacktiv website. As winter is coming, it's now time to introduce the Synacktiv Winter Challenge! Join other participants in this code golf contest and send us your solution before January 1st 🏌️. 

Breaking the BeeStation: Inside Our Pwn2Own 2025 Exploit Journey

27/11/2025 This article documents our successful exploitation at Pwn2Own Ireland 2025 against the BeeStation Plus. We walk through the full vulnerability research process, including attack surface enumeration, code auditing, exploit development, and ultimately obtaining a root shell on the target.

Site Unseen: Enumerating and Attacking Active Directory Sites

05/11/2025 Active Directory Sites are a feature allowing to optimize network performance and bandwidth usage in AD internal environments. They are commonly implemented by large, geographically dispersed organizations spanning across multiple countries or continents. Sites did not receive much attention by the Active Directory offensive research community, comparatively to other ACL-based attack vectors. This article aims to demonstrate that not only do attack vectors targeting Active Directory sites exist, but that they can lead to impactful pr...

Creating a "Two-Face" Rust binary on Linux

28/10/2025 In this article we will describe a technique to easily create a "Two-Face" Rust binary on Linux: an executable file that runs a harmless program most of the time, but will run a different, hidden code if deployed on a specific target host. This approach, which allows binding a binary to its environment, can be useful for a targeted malware payload or, more commonly, in a license protection mechanism. We will also detail how to make the "hidden" binary more difficult to inspect in memory.