Aliz Hammond

Adobe Commerce (Magento) CVE-2022-24086 : Return Of The Text Interpolation

In our latest blog post, we'll be discussing a vulnerability that - while not new - is shrouded in mystery. Ranging from bizarre and false PoCs circulating on Twitter, to incomplete analysis on dark corners of the web. As part of our Attack Surface Management capabilities delivered through the watchTowr

What Does This Key Open? - Docker Container Images (4/4)

This post is the fourth part of a series on our recent adventures into DockerHub. Before you read it, you may be interested in the previous instalments, which are: * "I don't need no zero-dayz" - Docker Container Images (1/4) * Layer Cake: How Docker Handles Filesystem Access (2/4) * Learning

Learning To Crawl (For DockerHub Enthusiasts, Not Toddlers) - Docker Container Images (3/4)

This post is the third part of a series on our recent adventures into DockerHub. Before you read it, you are advised to look at the part other parts of this series: * "I don't need no zero-dayz" - Docker Container Images (1/4) * Layer Cake: How Docker Handles Filesystem Access

Layer Cake: How Docker Handles Filesystem Access - Docker Container Images (2/4)

This post is the second part of a series on our recent adventures in DockerHub. Before you read it, you may want to check out the other posts of this series: * "I don't need no zero-dayz" - Docker Container Images (1/4) * Learning To Crawl (For DockerHub Enthusiasts, Not Toddlers)

"I don't need no zero-dayz" - Docker Container Images (1/4)

This post is the first part of a series on our recent adventures into DockerHub. You may be interested in the next instalments, which are: * Layer Cake: How Docker Handles Filesystem Access (2/4) * Learning To Crawl (For DockerHub Enthusiasts, Not Toddlers) (3/4) * What Does This Key Open? -

We're Out Of Titles For VPN Vulns - It's Not Funny Anymore (Fortinet CVE-2022-42475)

As part of our Continuous Automated Red Teaming and Attack Surface Management capabilities delivered through the watchTowr Platform, we analyse vulnerabilities in technology that are likely to be prevalent across the attack surfaces of our clients. This enables our ability to rapidly PoC and identify vulnerable systems across large attack

Why It's Not Worth Goading Us On A Friday - CVE-2022-36537 At Scale

At watchTowr, the security of our client's external systems is of priority. And as hackers, bugs are our passion. It's our job to understand emerging weaknesses, vulnerabilities and misconfigurations - and quickly translate that knowledge into an answer to the question of "how does this impact our clients?". Through our

Text4Shell++ - Where There’s Smoke, There’s Fire

(Or at least some ash) As part of our Attack Surface Management capabilities delivered through the watchTowr [https://www.watchtowr.com] Platform, we analyse vulnerabilities in technology that is likely to be prevalent across the attack surfaces of our clients. This enables proactive defense for organisations leveraging the watchTowr Platform,

OpenSSL 3.0.7 - Otherwise Known As, The Hype That Was Not

Finally, it is midnight (in my timezone, at least) and the wait is over - OpenSSL have published details of their second ever critical severity, nope high-severity (**amended after disclosure), security vulnerability - tracked as CVE-2022-3786 and CVE-2022-3602. The details published by OpenSSL can be found here: CVE-2022-3786 and CVE-2022-3602:

CVE-2022-44889 - Text4Shell Analysed

As part of our Attack Surface Management capabilities delivered through the watchTowr [https://www.watchtowr.com] Platform, we analyse vulnerabilities in technology that is likely to be prevalent across the attack surfaces of our clients. This enables our ability to rapidly PoC and identify vulnerable systems across large attack surfaces.