Citrixbleed 2, Hardware Hacking, and Failed Bans – PSW #882

Paul Asadoorian

1. The hidden JTAG in your Qualcomm/Snapdragon device’s USB port
2. Critical CitrixBleed 2 vulnerability has been under active exploit for weeks

   The vulnerability, CVE-2025-5777, is very similar to the 2023 Citrixbleed vulnerability (even though Citrix states they are different, I plugged it into an LLM, and the similarities are striking). Both are memory leaks that allow attackers to grab sensitive data from memory, including credentials. Credential harvesting is what makes this so attractive to attackers, as well as the ease of exploitation. The exploit is pretty easy; sending an HTTP request with the login parameter (no "=" and no value) returns random data from memory. This is not a good situation as:

   • This has been actively exploited in the wild for some time, even before a patch or any public details were available! (Greynoise traces it back to June 23!)
   • Citrix stated they are not aware of it being exploited in the wild; however, they are not the experts in exploitation in the wild. Therefore, I call into question any organization that states this, that is not directly monitoring attacker activity
   • Citrix provided no details in the form of IoCs, vulnerability details, or really any useful information for its customers

   If you want to read more of the technical details:

   • https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/
   • https://horizon3.ai/attack-research/attack-blogs/cve-2025-5777-citrixbleed-2-write-up-maybe/

   Detection:

   • https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71 - Kevin Beaumont pulled no punches: "By providing no technical details at all (and also mistakenly saying in the original CVE it applied to the Netscaler Management Interface), customers have been left vulnerable to attack with absolutely no clue how to check for prior exploitation. This also happened with CitrixBleed. In reality exploitation started soon after the patch release, so providing no technical details didn’t slow exploitation — it gave attackers a head start and left customers with a false sense of security that simply applying patches resolved the problem. Had they been given, for example, a clue about looking for a large volume of doAuthentication requests, they could have checked logs and looked at WAF rules (for example, doAuthentication requests missing the correct headers — despite what the Netscaler blog say,s this is possible). This didn’t happen, and now likely a large number of organisations will again be invoking incident response, under two years since CitrixBleed."
3. Ruckus Networks leaves severe flaws unpatched in management devices

   This one kills me: Claroty Team 82 found 9 vulnerabilities in Ruckus products. No details yet, but for good reason. We don't have a full disclosure timeline, however, Ruckus (and the parent company) have not responded. To anyone. Not the researchers, not CERT, and not Bleeping Computer. Complete and total silence. It cannot feel good to be a Ruckus customer right now. The reponse is just baffling. If Ruckus handles this appropriately its a completely different conversation. As of right now, I would not recommend Ruckus. Until such time they implement a proper vulnerability program.

4. SockTail: Lightweight binary that joins a device to a Tailscale network for Red Teaming

   Love this idea. Tailscale is great, why not use it as covert access during a Red Team engagement? If you'd like to do this, check out the Github.

5. Applocker bypass on Lenovo machines – The curious case of MFGSTAT.zip

   "A security researcher discovered that a file called MFGSTAT.zip, located in the C:Windows folder on Lenovo machines, is writable by any authenticated user. This is problematic because, under default AppLocker rules, users can execute files from the Windows directory. By adding a malicious binary as an alternate data stream to MFGSTAT.zip, a standard user can bypass AppLocker restrictions and execute unauthorized code." - The fix is easy, just remove the zip file.

6. eBay won’t let you buy or sell a Flipper Zero, but they are more than happy sell you a range of equally nefarious products

   This drives me nuts. You can lump Amazon into this mix as well. They won't allow you to buy or sell a Flipper Zero, but Lilygo CC1101, Proxmark 3s, and other devices are totally fine. Don't tell them these devices can do the same thing as a Flipper Zero! Banning things just doesn't work, and likely they are just avoiding any legal trouble, and/or appealing to the larger clients who believe you can use a Flipper to steal a car (which is not entirely true). Stop banning things. You can buy hammers, knives, crossbows, flame throwers, swords, chemicals, and a whole lot more (I went down a rabbit hole watching videos of people buying dangerous things on Amazon, don't do that). But you can't buy a Flipper Zero (or lockpicks, apparently). So stupid!

7. Exploiting the IKKO Activebuds “AI powered” earbuds, running DOOM, stealing their OpenAI API key and customer data.

   Basically, this is how not to ship a product. It runs Android with root-level ADB enabled, which means you can sideload apps (like DOOM, of course). The ChatGPT API key was easily extracted, as well as user data from the poorly implemented API. This is what you get when you order a product from a TikTok store...

8. Crazyradio 2.0

   Because I do not have enough gadgets, I ordered one: "Crazyradio 2.0 is a long range open USB radio dongle based on the nRF52840 from Nordic Semiconductor, featuring a 20dBm power amplifier and LNA."

9. From cheap IoT toy to your smartphone: Getting RCE by leveraging a companion app

   Cheap drones and Android apps were a recipe for a security disaster: "Following our research, we attempted to contact the maintainers of the affected libraries but received no response. As a result, the identified vulnerabilities remain unpatched. Notably, during the period we awaited a reply, the targeted application was removed from the Play Store."

10. shellnot is a UNIX socket-based daemon for situations where you have RCE but no egress

    This is super cool! If I understand correctly, as I did not test this tool out, you upload a binary to a target, then the client sends commands and retrieves the result of the command because you do not have any egress. Nice work!

11. Ubuntu disables Intel GPU security mitigations, promises 20% performance boost
    • Summary: "Ubuntu is disabling Intel GPU security mitigations for Spectre in its upcoming releases, promising up to a 20% boost in graphics performance on Intel-based systems. This change specifically affects the Intel GPU Compute Runtime (the “NEO” stack for OpenCL and Level Zero), where mitigations for Spectre-style speculative execution attacks have been in place since the vulnerability’s public disclosure in 2018"
    • So much this: "Most of the researchers Ars consulted agreed. They reasoned that the mitigations built into the kernel are likely to protect against most if not all Spectre attack scenarios. They also noted that there are no known reports of Spectre attacks ever being actively used in the wild."
12. How we turned a real car into a Mario Kart controller by intercepting CAN data

    For the LOLZ. Bravo!

13. Marketplace Takeover: How We Could’ve Taken Over Every Developer Using a VSCode Fork

    "TL;DR: We discovered a critical vulnerability in open-vsx.org, the open-source VS Code extensions marketplace powering popular VSCode forks like Cursor, Windsurf and VSCodium, used by over 8,000,000 developers. This vulnerability provides attackers full control over the entire extensions marketplace, and in turn, full control over millions of developer machines. By exploiting a CI issue a malicious actor could publish malicious updates to every extension on Open VSX. One bug. Full marketplace takeover. Millions of developers and their organizations — compromised. If you control the extensions, you control the machine, the code, and the business." - Yikes! There has to be some better security around apps for VSCode forks. I believe this is the open-source double edge sword: We can write code so anyone can see it, modify it, and run it. However, there is no central source of validation, making it difficult to sign code. Wordpress and many other open platforms have this issue.

14. The GPS Leak No One Talked About: Uffizio’s Silent Exposure

    I have not validated this article. Summary (Perplexity): "The article discusses a significant but underreported data breach involving Uffizio, a company specializing in GPS tracking solutions. In this incident, sensitive GPS data—including real-time locations and personal information of users—was exposed due to inadequate security measures. The breach went largely unnoticed by mainstream media and industry watchdogs, raising concerns about the transparency and accountability of companies handling sensitive location data. The article emphasizes the potential risks to user privacy and security, and calls for stricter regulations and better security practices in the GPS tracking industry."

15. Hardware Hacking 101: Identifying and Dumping eMMC Flash

    Another great hardware hacking article, using the Amazon Echo as an example.

Larry Pesce

1. Security Advisory: Airoha-based Bluetooth Headphones and Earbuds
2. Ancient SoundBlaster Cards Just Got A Driver Update
3. Reading NFC Passport Chips in Linux
4. Whack-A-Disk

Lee Neely

1. Unpatched Ruckus Vulnerabilities Allow Wireless Environment Hacking

   Ruckus Wireless Virtual SmartZone (vSZ) and Network Director (RND) products are affected by multiple vulnerabilities that could allow attackers to compromise managed environments. Ruckus Networks, is a provider of networking devices for venues with internet-connected systems, including hospitals, schools, and smart cities. Hardcoded secrets - CVE-2025-44957, Authenticated Arbitrary File Read - CVE-2025-44962, Unauthenticated RCE in SSH CVE-2025-44954 to start. No patches yet, fix is to restrict access to management interfaces, require access over SSH or HTTPS and reviewing authorized accounts.

2. Samsung Announces Security Improvements for Galaxy Smartphones

   To keep the on-device AI-powered features protected, the company is introducing Knox Enhanced Encrypted Protection (KEEP), a new architecture that confines applications to their own sensitive information through encrypted storage environments.

3. Bitcoin Depot breach exposes data of nearly 27,000 crypto users

   Bitcoin Depot, an operator of Bitcoin ATMs, is notifying customers of a data breach incident that has exposed their sensitive information.

   In the letter sent to affected individuals, the company informs that it first detected suspicious activity on its network last year on June 23.

   Although the internal investigation was completed on July 18, 2024, a parallel investigation by federal agencies dictated that public disclosure of the incident should be withheld until it was completed.

   Because the financial risk is related to cryptocurrency, letter recipients were not offered coverage through identity monitoring and theft protection services.

   Instead, they are advised to maintain high alertness for signs of fraud, monitor their account statements, and consider placing a security freeze on their credit report.

4. The MFA You Trust Is Lying to You – and Here’s How Attackers Exploit It

   First we were told to use SMS for MFA. Then we were told: “Don’t use SMS for MFA, use an authenticator app instead.”

   And while that may seem like a step forward, it’s still fundamentally flawed. Authenticator apps do improve over SMS by avoiding message interception, but they are easily fished (every day now) and often rely on time-based codes that can also be phished, relayed, or even intercepted if the device is compromised.

   Token BioStick or Token Ring are the gold standard. Phishing-proof. Tamper-resistant. Biometrically bound. Proximity required.

   What frosts me is that on the one hand it's calling out the risks of some MFA solutions, but on the other hand this is a bloody commercial..