Security incident? Suspected breach? 09 71 18 27 69csirt@synacktiv.com

Publications

Caught in the Octopus Trap: Unauthenticated RCE in Argo CD with CodeQL

01/07/2026
Pentest
Synacktiv has discovered an unauthenticated arbitrary code execution vulnerability in ArgoCD's repo-server component, potentially allowing full cluster compromise. This article explains how the vulnerability was identified using CodeQL, details the exploitation process to gain control over the underlying Kubernetes cluster, and introduces a tool for automating the attack.

Completing Compliance with Evidence : A Bottom-Up Approach to NIS2, DORA, and the Cyber Resilience Act

30/06/2026
GRC
GRC (Governance, Risks and Compliance) as it is most often practiced works top-down, you read a piece of regulation, draft a policy, declare coverage, and archive a documentary record. This approach has value, it structures, it documents, it meets an auditor's formal expectations. It also has a known limitation: it mostly reflects what the organization describes and far less easily what actually happens.

Charting your way in: Helm template injection

29/06/2026
During the audit of a Kubernetes cluster, we encountered an injection in a Helm template applied through ArgoCD. To our surprise, very few resources exist regarding YAML injection in vulnerable Helm templates. In this blog post, we will explore this kind of vulnerability and how to prevent its exploitation.

AWS Forensics : What you need to know

16/06/2026
CSIRT
Nowadays, it is rare to find a company whose IT system does not rely, at least in part, on cloud technologies. These solutions offer numerous benefits, particularly in terms of the rapid deployment of services and infrastructure. However, those technologies require specific skills and knowledge to handle day-to-day administration. The same logic applies to handle an incident into those environments. So, if you are a forensic analyst or even a security analyst and you're not familiar with AWS, this article can serve as a starting point...

Surviving the surge of new Linux LPE : Defense in Depth not dead

29/05/2026
Systems
Thanks to AI-assisted vulnerability research and kernel patch diffing that breaks "responsible disclosure" embargos, it's quite the overwhelming time for defenders. There's been a weekly reveal of new Linux critical vulnerabilities, with full exploit scripts made public days before patchs are widely available. Yet, most of the exploitation chains that have been recently published can be mitigated by tried-and-true Linux security hardening, giving wary defenders time to patch while N-day attackers try their shiny new ./exploit.sh. Le...

Exploiting the Tesla Wall Connector from its charge port connector - Part 2: bypassing the anti-downgrade

12/05/2026
Exploit
Reverse-engineering
In a previous article, we presented an attack against the Tesla Wall Connector Gen 3 used during Pwn2Own Automotive 2025. The exploit chain relied on a simple fact: there was no anti-downgrade mechanism. Once we could speak UDS over the charging cable, we could just write an old, vulnerable firmware to the passive slot, reboot, and pop the debug shell. Tesla then shipped a firmware update that adds an anti-downgrade check to the update routine. Every firmware image now carries a security ratchet value, and the updater refuses any ima...

Make it Blink: Over-the-Air Exploitation of the Philips Hue Bridge

06/05/2026
Exploit
The year-end edition of Pwn2Own took place in Cork, Ireland. For the first time, this event featured smart home devices, including the Amazon Smart Plug, Home Assistant Green, and the Philips Hue Bridge. The attack scenario defined by the ZDI involved an adversary with access to services listening on the local network, or launching an attack via a proximity network (Wi-Fi, Bluetooth, Zigbee). This article details the research conducted on the Philips Hue Bridge to achieve remote code execution (RCE) from the Zigbee network.

Bypassing Windows authentication reflection mitigations for SYSTEM shells - Part ②

30/04/2026
Pentest
In part 1 of this blogpost series, we proved our initial theory that the patch for CVE-2025-33073 was insufficient, by disclosing a trivial NTLM reflection vulnerability leading to LPE. In this second part, we turn to Kerberos and explain how we achieved a full-blown RCE primitive as a domain user, via a completely novel Kerberos authentication coercion technique that abuses discrepancies in how different Windows components handle Unicode characters. Our research finally puts an end to authentication reflection vulnerabilities targe...

Bypassing Windows authentication reflection mitigations for SYSTEM shells - Part 1

27/04/2026
Pentest
A year ago, authentication reflection vulnerabilities resurfaced as a powerful attack vector through the discovery of CVE-2025-33073 by several security researchers, including us. This logical vulnerability allowed taking over almost any Windows machine without any user interaction. Following our analysis and the official patch by Microsoft, we had a gut feeling that the root cause of the issue was still not addressed. This two-part blogpost will cover our journey to bypass the mitigations, which led to the discovery of two new authe...

Say hi to Pike!

23/04/2026
Development
Tools
Systems
In this article we will introduce Pike, an experimental LLM agent that generates and analyzes Linux program execution traces. We will show that with its simple architecture paired with a good LLM, Pike can quickly help debug a crash, identify malware, or give valuable high level insights via a natural chat interface.