Publications

Extraction of Synology encrypted archives - Pwn2Own Ireland 2024

11/08/2025 This article features the reverse engineering of Synology encrypted archives extraction libraries and the release of a script able to decrypt these archives. The tool is available on Synacktiv's GitHub.

Should you trust your zero trust? Bypassing Zscaler posture checks

08/08/2025 Zscaler is widely used to enforce zero trust principles by verifying device posture before granting access to internal resources. These checks are meant to provide an additional layer of security beyond credentials and MFA. In this blogpost, we present a vulnerability that allowed us to bypass Zscaler’s posture verification mechanism. Although the issue has been patched for quite some time now, we observed it still being exploitable in several environments during recent engagements. This post details the configuration of the Zscaler c...

2025 Summer Challenge: OCInception

31/07/2025 The last Synacktiv summer challenge was in 2019, and after 6 years, it's back. Send us your solution before the end of August, there are skills to learn and prizes to win! This challenge is inspired by code golfing, where the goal is to produce the smallest program implementing a feature. But this time, it will be about creating the smallest self-replicating Podman image archive...

Laravel: APP_KEY leakage analysis

10/07/2025 In November 2024, Mickaël Benassouli and I talked about vulnerability patterns based on Laravel encryption at Grehack. Although, each discovered vulnerability requires access to a Laravel secret: the APP_KEY, we emphasized the security risks involved and highlighted how this secret is often insecurely exposed in public projects. The story did not stop there, we gathered a huge chunk of APP_KEY and developed a new tool to identify vulnerable patterns from a set of publicly exposed Laravel applications. This blog post sums up our...

Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5

10/07/2025 This article delves into vulnerability research on the Thermomix TM5, leading to the discovery of multiple vulnerabilities, which allow firmware downgrade and arbitrary code execution on some firmware versions. We provide an in-depth analysis of the system and its attack surface, detailing the vulnerabilities found and steps for exploitation.

From cheap IoT toy to your smartphone: Getting RCE by leveraging a companion app

08/07/2025 In this article, we will go through some vulnerabilities we found in an Android application, allowing us to take control of a recent smartphone by faking the drone itself.

Exploiting the Tesla Wall connector from its charge port connector

17/06/2025 In January 2025, we participated in Pwn2Own Automotive with multiple targets. One of them was the Tesla Wall Connector — the home charger for electric vehicles (including non-Tesla ones). We presented an attack that used the charging connector as the entry point, communicating with the charger using a non-standard protocol (for this type of application). We exploited a logic flaw to install a vulnerable firmware on the device. This article explains how we studied the device, how we built a Tesla car simulator to communicate with the c...

NTLM reflection is dead, long live NTLM reflection! – An in-depth analysis of CVE-2025-33073

11/06/2025 For nearly two decades, Windows has been plagued with NTLM reflection vulnerabilities. In this article, we present CVE-2025-33073, a logical vulnerability which bypasses NTLM reflection mitigations and allows an authenticated remote attacker to execute arbitrary commands as SYSTEM on any machine which does not enforce SMB signing. The vulnerability discovery, the complete analysis of the root cause as well as the patch by Microsoft will be detailed in this blogpost.

Exploiting Heroes of Might and Magic V

10/06/2025 Heroes of Might and Magic V is a turn-based strategy video game developed by Nival Interactive.  A map editor is provided with the video game. Players can create maps that can be played in solo or multiplayer. This is an interesting attack vector. In this article we will see how to execute malicious code from a Heroes of Might and Magic V maps.

Open-source toolset of an Ivanti CSA attacker

12/05/2025 In recent incident responses where the root cause was an Ivanti CSA compromise, Synacktiv's CSIRT came across multiple open-source tools used by threat actors. This article dives into each of these tools, their functionalities and discusses efficient detection capabilities.