IoT Hacks Galore – Kieran Human – PSW #895

Paul Asadoorian

1. Docker makes Hardened Images Catalog affordable for small businesses
2. Bash a newline: Exploiting SSH via ProxyCommand, again (CVE-2025-61984)
3. Wiz Finds Critical Redis RCE Vulnerability: CVE‑2025‑49844
4. This ILLEGAL Device Instantly KILLS All Network & TV Signals
5. Taking remote control over industrial generators
6. Getting Started with the Raspberry Pi for Hacking: Using Spiderfoot for OSINT Data Gathering – Hackers Arise
7. Well, Well, Well. It’s Another Day. (Oracle E-Business Suite Pre-Auth RCE Chain – CVE-2025-61882)
8. Analysing a 1-day Vulnerability in the Linux Kernel’s TLS Subsystem
9. The innocuous but interesting case of Signal’s UNENCRYPTED_FOR_TESTING username
10. Pointer leaks through pointer-keyed data structures
11. When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise
12. DrayTek warns of remote code execution bug in Vigor routers
13. Android Lock Screen Bypass Through Google Gemini – Payatu
14. Stop Shoddy Academic “Research”
15. TOTOLINK X6000R: Three New Vulnerabilities Uncovered
16. It’s Never Simple Until It Is (Dell UnityVSA Pre-Auth Command Injection CVE-2025-36604)
17. Intel and AMD trusted enclaves, a foundation for network security, fall to physical attacks
18. CISA Issues Alert on Active Exploitation of Linux and Unix Sudo Flaw
19. American Archive of Public Broadcasting fixes bug exposing restricted media
20. EDR-Freeze: A Tool That Puts EDRs And Antivirus Into A Coma State
21. LG WebOS TV Path Traversal, Authentication Bypass and Full Device Takeover

    When you insert a USB storage device in the TV it starts a listener on port 18888 that enables some file sharing capabilities that can be exploited to take full control of the device. Exploit code is included in the article. They mention something about peer devices, and I assume this is so the TV can talk to other devices and services to pull content. Neat trick and great exploit. While not practical as it requires either physical access to the TV or for the user to insert a USB storage device in the TV and leave it there for long enough for an attacker to run the exploit.

22. Flushable wipes and Iran: Water treatment facility adds cyberattacks to worry list

    Great article on the state of water treatment plants. They chronicle a small town in Vermont, where one person is responsible for running all systems for the water treatment plant, including cybersecurity. Volunteers are helping with assessments and hardening, but I fear that is not enough.

23. Wanted to spy on my dog, ended up spying on TP-Link

    This is really neat:

    • The author struggled with onboarding and integration issues, leading them to investigate the device's API and authentication flows.1
    • Through techniques like decompiling the Android APK, MITMing TLS sessions with frida and mitmproxy, they revealed the Tapo camera’s default admin password: TPL075526460603. This password is used before any cloud-password sync occurs during onboarding, confirming the device has a default credential exposed early in setup.1
    • API calls are encrypted via a securePassthrough channel, but the researcher was able to decrypt and analyze the flows using custom Python scripts with mitmproxy, identifying the main onboarding actions: Wi-Fi access point scanning, enabling RTSP/ONVIF accounts, changing the admin password, and connecting to Wi-Fi.1
    • The investigation exposed inconsistent use of cryptographic hashing methods and multiple hardcoded public keys within the app, suggesting device password management is somewhat haphazardly implemented.
24. Your Vulnerability Scanner Might Be Your Weakest Link

    This is an important point in the article: "For example, across multiple widely deployed EDR products, none of the credential dumping techniques we described earlier generated alerts during our experiments. Detection rates were effectively zero. This strongly suggests that many Linux EDR solutions are optimized to check compliance boxes (e.g., “Linux support available”) rather than to deliver feature parity with their Windows agents, which tend to be far more mature and capable of detecting common attacker tactics, techniques, and procedures (TTPs)." - We do lack great EDR on Linux, vendors please step up!

25. Hacking Furbo – A Hardware Hacking Research Project – Part 5: Exploiting BLE

    This is actually a 6-part series on hacking Furbo, a pet monitoring camera solution. While previous research was done a while back, this new research walks you through a very detailed guide on IoT hacking and penetration testing. From removing the NAND flash, decrypting firmware, reversing the Android app, and exploiting BLE, its all in there. Read through the entire series whether you are a beginner or experiences hardware pen tester you will learn some things.

26. GitHub – S0lidStat3/dendrite: Dendrite – A body camera direction finding hardhat

    Neat: "Dendrite is a Bluetooth direction finding hardhat that is capable of performing signal strength based direction estimation of BLE devices. Its main software is a WLED usermod. When it detects a device it will switch WLED presets and overlay 5 white LEDs in the direction of each device on top of the WLED animation." - One problem that the PSW hosts pointed out: If you are wearing the hat you can't see the LEDs to get an indication of the BLE device proximity. Perhaps some audible cues are needed.

27. GitHub – vulncheck-oss/0day.today.archive: An archive of 0day.today exploits

    "0day.today was a long-running public repository of exploits and shellcode. It hosted tens of thousands of PoCs for vulnerabilities affecting a wide range of platforms. In early 2025, 0day.today went offline. Months later it came back but is missing all of its data, effectively erasing over a decade of exploit documentation from the internet. Due to the site's use of anti-bot protection, much of its content was never cached by the Internet Archive, making recovery difficult." - Something to clone as it may come in handy later. You like exploits? I like exploits. We should hang out.

28. How a $20 Smart Device Gave Me Access to Your Home

    Researchers extracted device firmware and debug logs using UART and tools like Flipper Zero, revealing MQTT credentials and API endpoints built from the MAC address and the firmware hash calculation secrets. Now, if you guess the MAC address, you can login to the MQTT backend for any device (or brute force). Exploit tests showed that cross-account attacks are possible, allowing a user from one household to unlock devices in another by publishing commands to device topics on the MQTT broker without any additional authorization. This is where ESP32 knowledge comes in handy as the onboard SoC is just an ESP32-WROOM-32 with UART enabled. There did not appear to be any secure boot or firmware encryption being implemented, even though these features are available for the ESP32 platform.

29. psyb0t/piraterf: PIrateRF transforms your Raspberry Pi Zero W into a portable RF signal generator

    "PIrateRF transforms your Raspberry Pi Zero W into a portable RF signal generator that spawns its own WiFi hotspot. Control everything from FM broadcasts to digital modes through your browser - hack the airwaves from anywhere!" - Time to dig up my Raspberry Pi Zero 1 W - (Note: 'Pi Zero 2 W does NOT work - rpitx requires the BCM2835 chip (Pi Zero 1 W) for predictable clock timing. The Pi Zero 2 W uses BCM2710A1 which breaks rpitx's timing assumptions.")

30. Mic-E-Mouse

    "High-Performance Optical Sensors in Mice expose a critical vulnerability — one where confidential user speech can be leaked. Attackers can exploit these sensors’ ever-increasing polling rate and sensitivity to emulate a makeshift microphone and covertly eavesdrop on unsuspecting users. We present an attack vector that capitalizes on acoustic vibrations propagated through the user’s work surface, and we show that existing consumer-grade mice can detect these vibrations. However, the collected signal is low-quality and suffers from non-uniform sampling, a non-linear frequency response, and extreme quantization. We introduce Mic-E-Mouse, a pipeline consisting of successive signal processing and machine learning techniques to overcome these challenges and achieve intelligible reconstruction of user speech." - Another novel side-channel attack. The chances of seeing this in the wild are pretty low. Some suggested that you upgrade your mice firmware as vendors may release patches. This is even less likely.

31. GitHub – ZerkerEOD/krakenhashes

    "KrakenHashes is a distributed password cracking system designed for security professionals and red teams. The platform coordinates GPU/CPU resources across multiple agents to perform high-speed hash cracking using tools like Hashcat through a secure web interface. Think of KrakenHashes as a full management system for hashes during, after and before (if a repeat client). Ideally, while also checking hashes for known cracks, we update a potfile with every hash and that can be used as a first run against other types of hashes for a potential quick win." - Something to test out, and increase your power bill.

32. Qualcomm’s buying Arduino – what it means for makers

    Hopefully good things, but when large companies get involved its usually not good things.

33. I’ve Written About Loads of Scams. This One Almost Got Me.

    Zelle is the Mos Eisley of banking; no one should ever use it again, unless you want to be part of a scam and send random people money. This scam is typical, somewhat smart, and likely works enough to warrant the effort.

34. ‘You’ll never need to work again’: Criminals offer reporter money to hack BBC

    This is my: "What if Russians drop off a bag of money scenario" that is actually happening in the real world. Again, it seems to work well enough that attackers are investing in it, which means users go to the dark side more than we like to think.

35. Hackers are Exploiting This and Nobody’s Stopping it

    Sensational headline, but actually a fantastic explanation of uninitialized variable vulnerabilities. It gets deep into the weeds of C/C++ memory management and allocation. Great watch.

36. An In-depth research-based walk-through of an Uninitialized Local Variable Static Analyzer

    If you want even more info on uninitialized variables: "The battle against uninitialized local variables (ULVs) is not over. While modern compilers have become more adept at catching ULVs, vulnerabilities persist especially in stripped binaries where metadata and debug info are unavailable. For binary-only analysis, this work presents a static analyzer built on the Binary Ninja platform to detect ULVs—variables that are read before being initialized—whose presence can lead to data leaks or crashes."

37. Enterprise IoT Pentesting: Bypassing Restricted Shell on Uniview Security Camera

    I love this trick: Stop the boot process and get into the bootloader, then modify a shell script to give you a shell, then when you boot up you simply run that shell script to obtain full access to the device (rather than a restricted shell).

38. lr-m/Yihaw: This is a suite of tools/PoCs/exploits for cameras using the Yi IoT application

    Lots of interesting stuff here, but this really caught my attention: "This one is honestly quite cool, the app plays a sound that contains the credentials, the camera receives this sound, decodes it, and connects to the access point. According to the app, its a 'new' feature - which means there is a pretty good chance there will be some dodgy code!" - Basically, you play a sound, the device parses it, and applies Wifi settings. The problem is there are memory corruption vulnerabilities in this process, so your exploit is a WAV file. I love this so much! So wait, if I play this sound: https://github.com/lr-m/Yihaw/blob/a086816d5f6f64472eff0f24b076ef2cdf15ccd5/fridahooks/Bug%201/bug1PoC_sound.wav - I can pwn your device? I will not play this on the show, or maybe I will :)

Larry Pesce

1. FTC and D-L I N K, yeah you know me…

   From 2019/2020 timeframe, but it feels like this one went under the radar.

2. Notepad++ DLL Hijack Flaw Lets Attackers Run Malicious Code
3. That annoying SMS phish you just got may have come from a box like this
4. 2G Gone? Bring It Back Yourself!

Lee Neely

1. Unity Game Engine Vulnerable to Arbitrary Code Execution

   In June 2025, RyotaK, a security engineer at GMO Flatt Security, responsibly disclosed a high-severity flaw in the Unity game engine, affecting Android, Windows, Linux, and macOS systems. CVE-2025-59489, CVSS score 8.4, allows an attacker to locally execute arbitrary code and exfiltrate confidential information from systems, exploiting a vulnerability in Unity Runtime's intent handling process that loads library code from an unintended location and enables a malicious application to take the permissions granted to Unity applications. RyotaK's analysis also notes the possibility of remote exploitation under certain conditions. Unity has published a security advisory with patches for Unity Editor versions 6000.3.0b4, 6000.2.6f2, 6000.0.58f2, 2022.3.67f2, and 2021.3.56f2, as well as for no-longer-supported versions including 2019.1 and newer. The patch itself is not the full fix: developers must rebuild and redeploy vulnerable applications using the updated editor.

   The Unity patch was released October 2nd. If you're building apps using Unity, you'll need to either recompile them with the patched editor or replace UnityPlayer.dll in your existing builds and redeploy. While the flaw was discovered on Android in the Unity intent handler, the root cause is present on Windows, macOS, and Linux. 

   Unity Security Bulletin: https://unity.com/security/sept-2025-01

2. Red Hat Confirms Theft of Consulting Engagement Data

   On October 2, 2025, Red Hat posted a security update disclosing unauthorized access to a GitLab instance belonging to Red Hat Consulting. Once the company detected the intrusion, they removed the intruder's access, isolated the GitLab instance, contacted authorities, and implemented security hardening for containment and prevention of future attacks. Red Hat began investigating immediately and determined that an attacker had exfiltrated information from a GitLab instance containing consulting engagement data including "Red Hat’s project specifications, example code snippets, internal communications about consulting services, and limited forms of business contact information." Red Hat believes that this breach only affects Red Hat Consulting customers, and does not have evidence of impact on Red Hat products, services, or software supply chain. The company also confirms that this attack is unrelated to the previous day's critical vulnerability in OpenShift AI (CVE-2025-10725). Investigation is ongoing, and potentially affected customers will be notified directly. GitLab has emphasized that the breached instance was self-managed, and "there has been no breach of GitLab’s managed systems or infrastructure." 

   Don't overlook that RedHat took steps to harden their environment to prevent recurrence. In addition, only RedHat consulting customers are impacted, so if you only license their products, but didn't engage their consulting services, you're in the clear. For the rest of us, the Chrimson Collective is boasting they raided 28,000 RedHat repositories, including hundreds of customer engagement letters, which include project specifications as well as authentication tokens and network maps.

3. Discord Security Incident Involving Third-Party Customer Service

   Discord recently discovered an incident where an unauthorized party compromised one of Discord’s third-party customer service providers. This incident impacted a limited number of users who had communicated with our Customer Support or Trust & Safety teams.

   Discord will contact any affected users exclusively from [email protected] and never by phone.  

   Not the way to find out your third-party provider has been compromised. Regularly make sure you have current contact information for each other, you know each other, and both your security settings are up to current standards, to include MFA and monitoring/alerting. I may sound like a broken record here, but it's just too easy to set and forget your third-party services, which can come back to haunt you.

4. Security leaders at Okta and Zscaler share lessons from Salesloft Drift attacks

   Okta and Zscaler were among the hundreds of Salesloft Drift customers targeted in the supply chain attacks that led to the theft of Salesforce customer data. Salesloft's initial investigation, conducted by Mandiant, indicates that between March and June 2025, the threat actor accessed Salesloft's Git Hub account and downloaded "content from multiple repositories, ... then accessed Drift’s AWS environment and obtained OAuth tokens for Drift customers’ technology integrations." The data theft took place in mid-August. Salesforce notified Zscaler that it was a victim a week after the data theft; Zscaler revoked its compromised Drift OAuth token 'even though it didn’t really matter by that point," according to Zscaler CISO  Sam Curry. The threat actor has already stolen Zscaler customer data. Zscaler has stopped using Drift before the attack, but the related OAuth token was still active, set to be retired at the end of August. Okta became aware that something was up when there were warnings of issues with Drift. Okta detected attempts "to use Drift tokens from locations outside of the manually configured IP range it set up for security purposes," according to information from Okta CISO David Bradbury. Because of that configuration, Okta did not experience customer data theft.

   Take note here, IP address restrictions on API calls saved Okta's bacon. Once again third-party security matters. Limiting access to APIs is very different from limiting user access by IP, and it's worth taking a serious look at.

5. Oracle links extortion campaign to bugs addressed in July patch

   Last week, researchers from Google Mandiant and Google Threat Intelligence Group (GTIG) reported that they were tracking malicious activity with possible links to the Cl0p threat actor. Mandiant and GTIG said that the threat actors were stealing data from Oracle E-Business Suite users. On Thursday, October 2, Oracle confirmed that some E-Business Suite customers received emails demanding payment or face having sensitive information  released. At the time Oracle CSO Rob Duhart wrote that the company's "ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update.”

   Given the Zero day, and threats of extortion from Cl0p, I'd make darn sure you've deployed the July CPU and are about to roll the October one. If you didn't already deploy July in your EBS, skip it and prioritize the October update. The entry point for the attack is obtaining credentials using EBS password reset functions to obtain credentials for local accounts not using MFA.  So beyond the patch, you need to ensure local accounts, which cannot be converted to SSO, require MFA - and make sure your SSO also uses MFA.

6. Oracle Publishes Advisory for Critical Zero-day in Oracle E-Business Suite

   Oracle has published a Security Alert Advisory for a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite that is being actively exploited by Cl0p threat actors. Users are urged to update as soon as possible, with the caveat that the update requires users to have applied the October 2023 Oracle Critical Patch Update.

   Dr. Johannes Ullrich has published a "Quick and Dirty Analysis of Possible Oracle E-Business Suite Exploit Script (CVE-2025-61882)" in an Internet Storm Center (ICS) diary. https://isc.sans.edu/diary/Quick+and+Dirty+Analysis+of+Possible+Oracle+EBusiness+Suite+Exploit+Script+CVE202561882+UPDATED/32346

   CVE-2025-61882, SSRF, HTTP Request/Response Smuggling, Path Traversal and Improper Restriction of XML External Entity Reference, has a CVSS score of 9.8 and impacts the BI Publisher Integrtation of Oracle's EBS versions 12.2.3-12.2.14. This is in the KEV with a due date of 10/27. If your EBS is Internet facing, don't wait that long, particularly as this flaw is easily remotely exploited without authentication. Get the IOCs to your threat hunters, get rolling on the update, don't forget you're going to have to work with your CFO to get the downtime approved, maybe double up on your PSL this morning. Make sure your WAF is blocking invalid HTTP/1.2 as well as limiting access to port 7201. Oracle CPUs are generally cumulative, so long as your last CPU was 10/2023 or newer, one update will do it.

7. CISA Adds Twelve Known Exploited Vulnerabilities to Catalog

   Over the past week, the US Cybersecurity and Infrastructure Security Agency (CISA) has added a dozen CVEs to the Known Exploited Vulnerabilities (KEV) catalog. Of those, half are more than a decade old; all 12 have been granted the regular three-week mitigation deadline. The CVEs are: a GNU Bash OS command injection vulnerability (CVE-2014-6278); a Jenkins remote code execution vulnerability (CVE-2017-1000353); a Juniper ScreenOS improper authentication vulnerability (CVE-2015-7755); an out-of-bounds write vulnerability in Samsung mobile devices (CVE-2025-21043); a command injection vulnerability in Smartbedded Meteobridge (CVE-2025-4008); a Linux Kernel heap out-of-bounds write vulnerability (CVE-2021-22555); an uninitialized memory corruption vulnerability in Microsoft Internet Explorer (CVE-2010-3962); a privilege escalation vulnerability in Microsoft Windows (CVE-2021-43226); an out-of-bounds write vulnerability in Microsoft Windows (CVE-2013-3918); a remote code execution vulnerability in Microsoft Windows (CVE-2011-3402);  a remote code execution vulnerability in multiple Mozilla products (CVE-2010-3765); and an unspecified vulnerability in Oracle E-Business Suite (CVE-2025-61882)

   At this point you should no longer have Internet Explorer (IE), CVE-2010-3962,which was patched with MS10-090, instead using Edge in compatibility mode or better still updating apps which reiled on IE to no loger be dependent on a single browser.

8. Beer Giant Asahi Says Data Stolen in Ransomware Attack

   Japanese brewing giant Asahi Group Holdings has confirmed that a ransomware attack has caused the week-long outage at its domestic subsidiaries.

   The company disclosed the incident last week, blaming order and shipment operational disruptions, and call center downtime on a cyberattack that resulted in system failures.

   The Japanese beer giant owns known international brands, such as Grolsch, Peroni, and Pilsner Urquell. It also owns Fullers, the UK producer of London Pride.

9. JLR to begin production restart following cyber shutdown

   A Jaguar Land Rover (JLR) spokesperson has confirmed to the Register that the company expects manufacturing to resume over the next few days. The company's three UK production plants are likely to start up gradually, taking several weeks to return to operating as usual. JLR shut down operations at the beginning of September.

   It's not going to be a "finger snap" to restore these manufacturing lines, expect imacts to carry into late November. Fortunately, with this restart, and the loan guarantee, this should help offset the impacts to the more than 100,000 workers impacted, 30,000 of which work in the JLR manufacturing facilities. Use this incident to really understand where downstream impacts of an outage can be and make conscious decisions about what can, or cannot be done, to mitigate them.

10. Chrome 141 and Firefox 143 Patches Fix High-Severity Vulnerabilities

    Google and Mozilla have released updates to address security issues in their flagship browsers. Google released Chrome 141, which addresses 21 vulnerabilities, including 12 reported externally. Of those, two are high-severity heap buffer overflow issues affecting Chrome’s WebGPU and Video components (CVE-2025-11205 and CVE-2025-11206). Mozilla released Firefox 143.0.3 to address two high-severity vulnerabilities in the Graphics: Canvas2D and JavaScript Engine: JIT components.

    Update all your browsers. It's to the point where I check all my browsers weekly, updating if available, it's almost like when we were dealing with Flash. Have a conversation about what would be the least painful, a regular forced restart to apply the update, or something more hands-on. Don't forget Edge is a chromium based browser with an update you need to make sure gets deployed.