Hacking IP KVMs & Reversing with Radare2 – Sergi Àlvarez – PSW #918

Paul Asadoorian

1. Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE
2. North Korean’s 100k fake IT workers net $500M a year for Kim
3. Amazon threat intelligence teams identify Interlock ransomware campaign targeting enterprise firewalls
5. Hacking The System In A Moral Panic: We Need To Talk

   In the dumb laws of the week segment, in addition to age verification to download Linux, they are now trying to mandate 3D printers detect if you are trying to print a weapon. This is an interesting crossroads between technology and policy... Example: "The latest surrounds a Washington State Legislature bill, HB2320, which criminalises the printing of unregistered guns. Perhaps most controversially, it seeks so impose a requirement on printers sold in the state to phone home and check a database of known firearms and refuse to print them when asked."

6. $75,000,000 Crypto Wallet Bulk Hack

   I have not watched yet, but Joe Grand is making some amazing content and his soldering skills are God-like.

7. ESP32 Bus Pirate: Update Brings Waterfall Displays, Cellular Modem Support and External Radio Expander

   Some major updates here, worth a second look as when I tested it the documentation wasn't great and I don't believe it supported any RF protocols: "It consolidates what would typically require several separate tools — logic analyzer, UART adapter, JTAG probe, RFID reader, Sub-GHz radio — into one $10–$30 device. The web-based CLI means you can interact with it wirelessly from any browser with no drivers. For firmware research, the SPI flash commands (flash analyze, flash strings, flash search, flash dump) are directly useful for extracting and reversing chip firmware." - I even bought a bunch of cables and connectors to interface with different hardware and protocols. Time to test again!

8. Reversing the FT100 BLE Fitness Bracelet
9. A Nerd’s Life: Weeks of Firmware Teardown to Prove We Were Right – Quarkslab’s blog

   I really like the part where they rick rolled themselves...

10. Bypassing debug password protection on the RH850 family using fault injection – Quarkslab’s blog
11. Now You See mi: Now You’re Pwned

    AI summary: "TASZK Security Labs found three vulnerabilities in Xiaomi's proprietary miIO protocol on the C400 Smart Camera: an authentication bypass allowing setup completion without the physical QR code, a cryptographically weak PRNG (uClibc ALFG) that leaks Wi-Fi credentials, and a heap buffer overflow in AesCbcDecrypt() on UDP/54321. Chaining vulns #1 and #3 yields a full root RCE via fastbin corruption → function pointer overwrite → ROP → shellcode injected through /proc/self/mem, with no ASLR bypass needed since miioclient is non-PIE. Post-exploitation, they deployed a persistence implant via LDPRELOAD that replaces the Xiaomi cloud stack entirely, streaming camera feeds over TLS and blocking cloud egress via firewall rules — a full "cloud jailbreak"

12. Turning a Ubiquiti Unifi Cloudkey Gen 1 into a Sharkjack

    I love this hardware re-purpose, and the step by step guide looks really good. I have a couple laying around and want to test this.

13. I dug into the Flipper One’s firmware, and it’s not a Flipper Zero sequel — it’s a pocket Linux PC

    Interesting analysis: "But here's the thing: even if the timeline is uncertain, the direction is exactly right. A modular pentesting platform running Linux that fits in your pocket is what the Flipper Zero always felt like it was trying to be. The Zero got close, but it was held back by its hardware and its largely-fixed radio stack. The Flipper One, at least on paper, doesn't have those same limits. I've been waiting for this device for a while now. And if it ships at anything close to what the prototypes and repos suggest, it'll be worth the wait."

14. Rabbit-Labs Flipper Zero ESP32-C5 multi-board features CC1101, GPS, and dual-band Wi-Fi 6 – CNX Software

    While this gives you more capabilities, including Wif6 support on the Flipper, its expensive. You could almost buy a Raspberry PI and a Wifi Dongle and just run Kali. However, this device comes with a bunch of features (Wifi6/BLE/CC110/Zigbee) and Rabbit Labs products are truly amazing and I highly recommend them. Not only are they quality but the owner stands behind his products and is amazing to do business with.

15. Reason #42 Why InfoSec Has Failed
16. Herding Cats: Recent Cisco SD-WAN Manager Vulnerabilities

    The vulnerabilities and exploits surrounding Cisco's SD-WAN advisories is a complicated web, and its messy. I'm trying to figure out what this means for defensive teams. Do we really need to test for the vulnerability and exploit? Do we care if an exploit exists or not? For Cisco, often we don't see a public exploit because its too valuable to threat actors, so perhaps its bought and sold behind closed doors. What matters? Figuring out if you have Cisco SD-WAN, which products, and which versions, then patching them. You can't delay. You no longer have time to see if an exploit exists or if the public exploits are working or not. Even if you patch when the advisory is released, its already too late. We need to automate patching and testing. We need to monitor our devices the same way we monitor Windows systems. We need EDR for our devices, which requires vendors to open the "iron curtain" currently protecting the crappy Linux distro that is underneath your expensive enterprise appliance.

17. GitHub – pasadoorian/MiTMBeast

    I just want to be clear: This is not a new tool. Its just a collection of vibe-coded scripts that chain together of bunch of known tools and techniques to achieve a goal. The goal? Create a separate network (with Wifi) to put IoT devices, then control and inspect network traffic and protocols. All of the tools existed already, I just used Claude to string them together to save time. I used these scripts to test some of the KVMs, primarily making sure the firmware updates were secure and SSL was properly implemented. I tested JetKVM, and according to my results, JetKVM has properly implemented TLS/SSL in every way. I open-sourced it so you can try it for yourself and help the world evaluate the security of IoT devices...

18. 10 Things Linux Can Do That Windows Still Can’t

    I think there are some better reasons than the ones listed here. Customizing the UI and file systems is one thing, one great thing about Linux is you can customize the code, drivers, etc... Some say this is a negative because its hard, but also one of Linux's super powers is its open-source, so you can make stuff work. I think the argument is that the vendors and manufacturers should make stuff work on Linux, and I agree.

19. I Hacked My Laundry Card. Here’s What I Learned.

    It's a brave new world we live in: "I’m a CS student. I had never touched NFC security before. I had no idea what a Mifare Classic was, how sectors and blocks worked, or what a “value block” format looked like. I had my new Flipper Zero and Claude Code. I pointed both of them at my laundry card. Within an hour, I had reverse-engineered the card format, figured out the balance encoding, and discovered an architectural flaw that makes every deduction reversible."

    • The architectural flaw: "This works because the system separates writing from validating. The reload machine signs the data. The washer trusts the signature but can never create a new one. Every deduction can be undone."
20. Your KVM is the Weak Link: How $30 Devices Can Own Your Entire Network

    Details are in the blog post. I'd like to share some of the behind-the-scenes info, including:

    • JetKVM's response (Awesome)
    • Other vendors responses (Not to awesome)
    • How awesome my co-worker Rey is
    • How to manage vendors and disclosure, especially last-minute requests
    • There is a set of scripts on Github to do similar research
    • Things I could have done better when managing 9 vulnerabilities, 4 vendors, 2 researchers, US-CERT, marketing, and PR - These include 1) Get one URL for your blog post 2) Better to be a CNA than relying on 3rd party to create CVEs by proxy 3) Effective communication and tools vs. scripts 4) Testing and reporting all conditions equally across vendors 5) Better data for the market and where/how devices are used.

Jeff Man

1. National Cyber Strategy for America

   [NCS == National Cyber Strategy] We should overlay all our discussions with the strategy and ask ourselves which of the six pillars are we addressing? To summarize:

   1. Shape Adversary Behavior
   2. Promote Common Sense Regulation
   3. Modernize and Secure Federal Government Networks
   4. Secure Critical Infrastructure
   5. Sustain Superiority in Critical and Emerging Technologies
   6. Build Talent and Capacity
   

2. Telus Digital hit with massive data breach

   "The attack is described as not ‘smash-and-grab ransomware’, but ‘strategic, disciplined, and optimized for maximum leverage.’" - imagine that.

   The attack is credited to the ShinyHunters criminal group which is known for exploiting weak security postures. This article states that TELUS has taken steps to "secure their systems against further intrusion". Which begs the question of what were they NOT doing prior to the breach?

   Corollary to NCS: pillar #2 suggests relaxing cyber security regulations. what is TELUS subject to in terms of regulatory security standards and what was too onerous to follow? OR... they weren't subject to much of anything and they require more regulation to be forced to do the bare minimum security hygiene practices .

3. Ericsson US Discloses Data Breach as Hackers Steal Employee and Customer Data

   Don't worry - it wasn't Eriicsson's fault just a third party used to process and store sensitive data. Corollary to NCS: 2. common sense regulation and 4. secure critical infrastructure. but who is looking out for the third party service providers?

4. Trump’s Cyber Strategy Falls Short on China, Iran, and the Threats That Matter Most

   Iranian cyber retaliation is escalating. Chinese operators remain embedded in U.S. infrastructure. Ransomware groups continue to disrupt hospitals, schools, and local governments. Trump’s recently released cyber strategy raises doubts the administration is prepared to address these threats. Oh wait, the strategy is just a "high-level statement of intent, with action items to come." It took over a year to come up with high-level statements of intent (e.g. the six pillars)? There's nothing new presented here - "it depends" and "the devil is in the details" comes to mind. Lack of detail, little attention to the threat landscape, lots of hyperbole without and specific details or action items or timeline.

5. Re: Notice of Data Security <>

   form letter announcing the breach to Ericsson customers. Bonus: you get free credit monitoring for a year!

6. Cyber Readiness During Escalating Geopolitical Conflict

   Let's call this a #PSA - Horizon3.ai is providing some targeted threat analysis on mounting Iranian-based cyberattack campaigns during this time of war.

Lee Neely

1. Critical HPE AOS-CX Vulnerability Allows Admin Password Resets

   Hewlett Packard Enterprise (HPE) this week announced patches for a critical-severity vulnerability in Aruba Networking AOS-CX that could be exploited to reset administrator passwords. The issue, tracked as CVE-2026-23813 (CVSS score of 9.8), impacts the web-based management interface of AOS-CX switches and can be exploited remotely, without authentication, to bypass authentication controls.

   This affects the web-admin interface of your Aruba CX switches and can be remotely exploited without authentication. You need to do a couple of things: First, make sure that you're on the supported updated release. Older, unsupported, versions of AOS-CX have the flaw but will not be getting updates. Second, make sure that you're restricting access to the web-admin interfaces to only authorized devices, preferably not over the WAN. Two more things: Make sure that you've enabled comprehensive logging, and disable the HTTPS interfaces on switched virtual interfaces and routed ports.

2. Google fixes two new Chrome zero-days exploited in attacks

   Google has released emergency security updates to patch two high-severity Chrome vulnerabilities exploited in zero-day attacks. "Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild," Google said in a security advisory published on Thursday. The first zero-day (CVE-2026-3909) stems from an out-of-bounds write weakness in Skia, an open-source 2D graphics library responsible for rendering web content and user interface elements, which attackers can exploit to crash the web browser or even gain code execution. The second one (CVE-2026-3910) is described as an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine.

   I was wondering about that update button I spotted today. Hopefully all your browsers are automatically checking for updates and installing them on next launch. That means all you need to do is relaunch regularly. And while you're at it, don't forget to check your non-Chromium based browsers, such as Firefox; even with less frequent updates, your discipline should be equivalent.

3. Third Man Charged in Ransomware Negotiator Extortions

   Recently unsealed court documents name Angelo Martino as the previously unnamed co-conspirator of Ryan Clifford Goldberg and Kevin Tyler Martin in extortion of US companies as affiliates of the ALPHV BlackCat ransomware scheme in 2023. At the time of the attacks, Martino and Martin were employed as ransomware threat negotiators at DigitalMint, and Goldberg was an incident response manager for Cygnia Cybersecurity Services. Martin and Goldberg were indicted in October 2025 and pleaded guilty to charges of extortion in December.

   We finally know who the third musketeer is, and that he was also working for DigitalMint with Kevin Martin. I can't help but feel this calls into question any plans of negotiating for a ransom demand, particularly as the guidance remains not to pay, instead of enlisting agencies like the FBI to obtain a resolution and decryption option.

4. Maximum TLS Certificate Lifecycle is Now 200 Days

   As of March 15, 2026, the maximum certificate lifespan for TLS certificates has dropped to 200 days. The change is one step in a process established by the CA/Browser Forum: On March 15, 2027, maximum validity period of subscriber certificates will drop to 100 days, and on March 5, 2029, that window will be shortened to 47 days. Certificate authorities began making the change shortly before the deadline. DigiCert moved to issuing certificates with a maximum 199-day validity window on February 24, 2026, and SSL began issuing certificates with 200-day expiration dates on March 11, 2026. As SSL explains, the rationale for the shortened validity window lies in enhanced security, improved cryptographic agility, and stronger validation practices.

   This is the continuation of an ever-shrinking certificate lifetime. Your mission — and whether or not you accept it, these shortened lifetimes are coming — is to automate your certificate updates. You want to be in a position where you don't have to care how rapidly certificates need to be updated. With the increasing number of places we have certificates, and with shortening timelines, hand feeding and maintenance of them is becoming untenable/unsustainable. Start with discovery: You need to know where all your certificates are, as well as what encryption is in use, and you need to be prepping for PQC as well. Start with low-hanging fruit and save the more difficult areas, hopefully less than 20%, for after these are all squared away and you've got more experience to draw from.

5. GlassWorm Spreading on GitHub Through Force-Push and Dependencies

   StepSecurity is warning of an ongoing campaign compromising hundreds of Python repositories on GitHub with GlassWorm malware, which notably is now being injected into developers' code without leaving evidence in the activity feed.

   The attack begins with compromised accounts from developers who were infected with the GlassWorm malware, grabbing their ~/.git-credentials and GITHUB_TOKEN environment variables. Next the malware is added using a technique which causes the new commit to not appear as new, as the commit comment and author date remain unchanged, but the committer date is still updated. Grab the IoCs from the StepSecurity blog, check for the marker variable as well as ~/init.jason which provides persistence, and review your git commit history of repos you've cloned. Keep an eye out for code comments in Russian, Solana C2 address, and funding wallet.

6. Poland’s nuclear research centre targeted by cyberattack

   Poland's National Centre for Nuclear Research (NCBJ) said that "an attempted cyberattack on the Institute's IT infrastructure" was thwarted "thanks to the rapid and effective actions of security systems and procedures ... as well as the quick response of our teams." NCBJ says that production, operations, and research were not disrupted and that "the MARIA nuclear reactor is safe." Not a lot of detail on how the attack was thwarted but good to see low Time to Detect and Time to Mitigate highlighted. There is no shortage of failure stories — we need to have more case studies on successes to enable others to more easily follow similar paths. Rant: The thing is, you need to have not only the security infrastructure in place and operating, but also tested response plans. Purchasing shelfware, lacking alerts to events, or having staff not trained to respond to those alerts, can all result in your undoing, regardless of the threat actor. Don't be that target.

7. Interpol sinkholes 45,000 IPs linked to global cybercrime

   INTERPOL has arrested 94 individuals for their alleged roles in phishing and ransomware operations. Another 110 individuals remain under investigation. The operation also took down more than 45,000 malicious IP addresses and seized more than 200 electronic devices and servers.

   This is an example of how international cooperation can really succeed. The operation has been growing since 2023’s Synergia I, with 52 countries participating and seizing 1,300 IP addresses, to Synergia III involving 72 countries and seizing 45,000 IP addresses. They still have many more individuals under investigation; expect to hear more from Operation Synergia.

8. UK’s corporate registry fixes data exposing technical error

   Companies House was forced to pull down its record-filing platform for the entire weekend to rectify a "security issue" that exposed the personal details of company directors and other data to any logged in users. Company House became aware of the vulnerability through Dan Neidle, a tax professional, who learned of the issue from Ghost Mail's director of operations John Hewitt. The incident has been reported to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). The issue appears to have been introduced in an October 2025 WebFiling update.

   Once logged in, you looked up another company by entering its company number, hit the access button on that screen, and at the authentication token prompt, hit the back button four times and instead of returning to your dashboard, you were logged into the dashboard of the company you're trying to access. The user who discovered the flaw didn't receive any acknowledgement, so the founder of Tax Policy Associates reported the flaw to the UK corporate register. Two lessons here: First, don't disregard reported flaws. Second, robust testing of code changes and access controls is still necessary. It is likely that access tokens were set prior to authentication being completed — a reminder that order of operations really matters.

   https://x.com/DanNeidle/status/2032506756786511908

9. Apple releases background security improvement iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), macOS 26.3.2 (a)

   Apple releases a bug fix using the new background security update feature introduced in OS versions 26.1

   This fix addresses a WebKit flaw, CVE-2026-20643, Processing maliciously crafted web content may bypass Same Origin Policy. A cross-origin issue in the Navigation API was addressed with improved input validation. Reported by Thomas Espach