No FlipperZeros Allowed – PSW #908

Paul Asadoorian

1. CERT/CC Vulnerability Note VU#295169
2. Merry Christmas Day! Have a MongoDB security incident.
3. CVE-2025-14847: All You Need to Know About MongoBleed
4. Vulnerability Disclosure Forensics: /cgi-bin/upload.cgi
5. Learn How to Reverse Engineer Sub-GHz Remotes for Home Assistant
6. I automated network monitoring my home with ESP32 boards
7. How we pwned X (Twitter), Vercel, Cursor, Discord, and hundreds of companies through a supply-chain attack

   A small group of hackers discovered and exploited critical vulnerabilities in Mintlify, an AI documentation platform whose SDKs and templates are embedded in the sites of many major companies, leading to a large-scale supply‑chain attack affecting X (Twitter), Vercel, Cursor, Discord, and hundreds of other organizations. One of the group's members is just 16-years-old, and found that through the supply chain they could execute XSS attacks.

8. PS5 ROM Keys Leaked: Sony’s Unpatchable Security Nightmare (2026)

   The leak exposes low-level ROM keys used for boot and decryption, which opens the door to custom firmware, advanced loaders, and widespread unlicensed game backups on existing PS5 consoles. Because these are BootROM keys, they are effectively “baked into” shipped hardware, making the vulnerability unpatchable on consoles already in the wild.

9. InstaVM – Secure Execution of AI Generated Code

   Really great tips on how to use Claude to perform some security tasks. Similar to Matt Brown's tips, you can point Claude's code at a running process's log file and have it parse it on the fly and look for security vulnerabilities. Neat stuff!

10. Flipper Zero and Raspberry Pi banned at NYC mayoral inauguration

    This one really grinds my gears. There was no explanation given as to why Flipper Zeros and Raspberry PIs were explicitly banned from the Mayoral Inauguration. I wonder what they would do if we brought all sorts of ESP32s. What about a phone? Phones were allowed, but no Flipper Zeros. From a techincal perspective, this makes no sense. I suppose it does send a message that they do not want people messing around with RF or IR, which you do not have permission to do most likley anyhow. However, if you wanted to monitor communications legally, we can just make an ESP32 platform look like a phone. More and more I hear of these explicit bans, and the hacker in me just wants to come up with ways around them, just because its possible.

11. The Kimwolf Botnet is Stalking Your Local Network – Krebs on Security

    This is the latest in the BADBOX saga, pre-infected devices are even more popular than ever before:

    • Kimwolf spreads by abusing weaknesses in major residential proxy services, using them as a tunnel back into the local networks of proxy endpoints, then scanning for exposed Android Debug Bridge (ADB) and similar services. ​* One key abused provider described is IPIDEA, whose proxy endpoints could be used to reach internal LAN addresses; attackers then pushed payloads by directing infected systems to a specific URL with a pass phrase to unlock the malicious download. ​* The core warning is that long‑standing assumptions about the safety of internal networks behind a router are now outdated, because Kimwolf can reach and compromise devices that were never meant to be Internet‑exposed, such as digital photo frames and grey‑market Android TV boxes.
12. I’m brave enough to say it: Linux is good now, and if you want to feel like you actually own your PC

    Best quote of 2026 so far: ''I've had it with Windows and ascended to the sunlit uplands of Linux, where the trees heave with open-source fruits and men with large beards grep things with their minds.'' - I am going to say this: 2026 is not going to be the year of the Linux desktop, it already is. Also, I am upgrading my graphics card from an older GTX 1080 Ti to an AMD 7900 XT. If you run the 10xx NVIDIA cards, you are now stuck on the 575xx driver in Linux, so its a good time to upgrade. Especially to AMD, as the drivers on Linux are great for AMD cards. We'll see how it does with password cracking and local LLMs...I will report back!

13. I removed Samsung’s “unremovable” apps and my phone flies now

    This is a neat trick I am going to try on devices that are impossible or super difficult to root: "UAD-NG (Universal Android Debloater Next Generation) circumvents this entire ordeal by exploiting a loophole in Android's architecture. While system apps reside in the protected /system partition that only manufacturers can modify, Android also stores user data and cache in the /data partition. The tool doesn't really delete system packages — instead, it uninstalls them for all user profiles, effectively freezing them and preventing them from loading into memory. The apps disappear from your app drawer, stop consuming RAM, stop running background processes, and stop siphoning battery life." - UAD-NG is here: https://github.com/Universal-Debloater-Alliance/universal-android-debloater-next-generation - Be careful though, you can certainly screw up your device using this tool. You've been warned.

14. North Korean infiltrator caught working in Amazon IT department thanks to lag — 110ms keystroke input raises red flags over true location [Updated]

    I love this commitment to monitoring: " Normally, a U.S.-based remote worker’s computer would send keystroke data within tens of milliseconds. This suspicious individual’s keyboard lag was more than 110 milliseconds"

15. Risks of OOB Access via IP KVM Devices – SANS ISC

    Small, inexpensive, add-on KVMs (NanoKVM, JetKVM, etc...) are becoming popular. Researchers and users have already observed many security issues, some have been addressed and some have not. Johannes has some great recommendations, let me summarize and expand on them:

    • Authentication - Given these devices, similar to a BMC, give remote users the equivilent of physical access, setting a password and enabling MFA (if available) is the most important step.
    • Keep them off the Internet - Use Tailscale or a similar VPN, and further segment KVMs on the network.
    • Configure TLS - It may not be enough, and shockingly, or pehaps not shockingly, TLS is not enabled by default for the admin interfaces on these devices.
    • Lock Screens - These may not help you, but you've all heard the story of when I was on a penetration test and accessed a BMC and was dumped into a root shell. Its important to make sure the system is configured to automatically lock, so if someone does access it via KVM/BMC, there is still a login screen. It is important to note that some KVMs give you the ability to boot the system on removable media, which opens up a wider attack surface, basically the attacker is phyically on the system.
16. Fixing a Buffer Overflow in UNIX v4 Like It’s 1973

    This is neat: "In 2025, the only known copy of UNIX v4 surfaced on a magnetic tape. This version marks a pivotal moment in computer history: the rewriting of UNIX into C. Enthusiasts quickly recovered the data and successfully ran the system on a PDP-11 simulator. Fascinated by this artifact, I set up an instance to explore it. Because the distribution includes the source code, I examined the implementation of several core utilities. While auditing the su(1) program, I identified a bug. Let’s fix it." AI summary:

    • "a researcher found and fixed a classic stack-based buffer overflow in the historical UNIX v4 su program while running it on a PDP‑11 simulator in 2025. The bug stems from reading an arbitrarily long password into a fixed 100‑byte buffer without bounds checking, allowing input longer than 100 characters to overwrite adjacent memory and sometimes crash su with a core dump. To fix this, the author edited su.c with the vintage ed editor, added an integer counter i, and modified the password input loop to abort if the number of characters read reaches the buffer size, preventing overflow."
17. Hacktivist deletes white supremacist websites live onstage during hacker conference

    "A hacktivist using the pseudonym Martha Root remotely wiped three white supremacist websites...live on stage during a talk at the Chaos Communication Congress in Hamburg, and those sites remain offline. Root had previously infiltrated the platforms, scraped their public data, and later published a dataset exposing users’ profiles, including images with precise geolocation metadata and detailed demographic information, while stating that emails, passwords, and private messages were not included “for now.""

18. I turned my old Chromebook into a Linux-powered smart hub, and it’s incredible

    This makes me not want to get rid of any old tech, but then again, my projects have projects :)

19. Hackers claim to hack Resecurity, firm says it was a honeypot

    I mean, that's what someone would say who got hacked, but also, after reading up on it, I do believe it was a honeypot.

Larry Pesce

1. Why Anna Gomez believes the FCC is letting telecoms off easy after Salt Typhoon
2. AI Autonomously Finds 7 FFmpeg Vulnerabilities
3. What’s Hiding Inside Haribo’s Power Bank and Headphones?
4. Cybersecurity Compliance: What’s Most Rewarding? – BlockTelegraph
5. Texas sues TV makers for taking screenshots of what people watch
6. NYC Mayoral Inauguration bans Raspberry Pi and Flipper Zero alongside explosives
7. The ‘Hidden’ Microphone Inside The Sipeed NanoKVM
8. Hacktivist deletes white supremacist websites live onstage during hacker conference

Lee Neely

1. The Kimwolf Botnet is Stalking Your Local Network – Krebs on Security

   "Everything you thought you knew about the security of the internal network behind your Internet router probably is now dangerously out of date," writes Brian Krebs about the expanding Kimwolf botnet, in an article he characterizes as an "urgent Internet-wide security advisory." Kimwolf appears to have compromised over 2 million devices worldwide, enabling ad fraud, account takeovers, mass content scraping, DNS hijacking, and distributed denial-of-service (DDoS) attacks, among other malicious activity.

   Use the Synthient device security check site below to see if your network is on the compromised list. Then check their Kimwolf product devices list against your network devices. If you find anything on that list, remove it from your network immediately. Make sure you connect visitors to your guest wireless, not your primary networks.

   https://synthient.com/check https://github.com/synthient/public-research/blob/main/2026/01/kimwolf/product_devices.csv

2. Cybersecurity pros admit to moonlighting as ransomware scum

   On Monday, December 29, 2025, Ryan Clifford Goldberg and Kevin Tyler Martin pleaded guilty to "one count of conspiracy to obstruct, delay or affect commerce or the movement of any article or commodity in commerce by extortion," following their October indictment by the US Department of Justice (DOJ) for conducting ransomware attacks against five US companies in 2023.

   One of the concerns here is the training gained as incident responders/defenders was used to enable and support criminal activities. Reality is, this is where background checks and agreements to ethical behavior meet human tendencies. These need to be repeated, not one and done, along with appropriate monitoring and reporting to keep the bar as high as possible.

3. Fortinet warns of 5-year-old FortiOS 2FA bypass still exploited in attacks

   Fortinet says that a vulnerability first disclosed more than five years ago is still being actively exploited. CVE-2020-12812 is an improper authentication vulnerability in SSL VPN in certain configurations of FortiGate SSL VPN allows attackers to bypass multi-factor authentication (MFA).

   The issue was addressed in a 2020 update which has still not been applied in all cases. Make suire your Fortinet devices are fully updated. Don't get caught up in why something is or isn't updtaed, it's more important to get them updated then go back and fix whatever allowed them to not be kept up to date as phase two.

4. Sedgwick confirms cyber incident affecting its major federal contractor subsidiary

   File transfer services remain a target due to their importance in integrating disparate systems. This is a good time to review your file transfer systems and make sure that you're not only running secure updated versions, but also following the security best practices, to include retiring and disabling unencrypted protocols and single factor authentication.

5. CISA Flags Actively Exploited Digiever NVR Vulnerability Allowing Remote Code Execution

   CVE-2025-14847, DigiEver command injection flaw, has a CVSS 3 score of 8.8 and attempted exploits may go back as far as November 2024, using a variant of the Mirai botnet, which means you need to grab the IOC's Akamai published for your threat hunters as well as update to a supported version of DigiEver.

   https://www.akamai.com/blog/security-research/digiever-fix-that-iot-thing

6. Patch MongoDB Now to Fix Exploited Memory Leak

   On December 19, 2025, MongoDB released patches for MongoDB server, disclosing and fixing a flaw that allows an unauthenticated attacker to read uninitialized heap memory due to mismatched length fields in Zlib compressed protocol headers (CVE-2025-14847, CVSS 8.7). One week later, on December 26, a researcher from Elastic Security published proof-of-concept (PoC) exploit code for this vulnerability, dubbed "MongoBleed," and by December 29 the flaw was added to the Cybersecurity and Infrastructure Security's catalog of Known Exploited Vulnerabilities (CISA KEV). Rapid7, who confirmed the effectiveness of the PoC code, urge self-managed MongoDB instance users to remediate immediately instead of waiting for normal patch cycles, and to rotate all database and application credentials. Given that there is verified POC code for this exploit, step one is to ensure you're on one of the patched versions of MongoDB. Step two is to make sure you're on 8.2.3 or higher. While there is a workaround of disabling zlib compression, it may take more time to run down the impact of making that change than simply applying the update.

7. HIPAA Journal Lists Largest Healthcare Data Breaches of 2025

   The HIPPA Journal's current analysis of healthcare breaches data gathered by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) indicates that while 2025 included a number of significant care sector breaches, the number of large breaches and the total number of individuals affected have decreased relative to data from prior years.

8. Korean telco failed at femtocell security, exposed customers

   An investigation conducted by South Korea's Ministry of Science and ICT (MSIT) found that South Korean telecommunications and digital services provider KT mismanaged the security of femtocell mobile base stations.

   According to analysis from Yongdae Kim (Professor at KAIST, IEEE Fellow, KAIST ICT Endowed Chair), KT had deliberately disabled end-to-end encryption on some femtocell models, the devices had no root passwords, stored keys in plaintext, and because SSH was enabled, the devices were remotely accessible.

   Using the same certificate for authentication is the same as a default password. In addition to a shared certificate, with a ten-year lifespan, these devices had internet facing SSH, an empty root password and stored keys in plaintext. That was enough to allow fake devices to be created and operated as legitimate devices.