Piotr Bazydlo (@chudyPB)

SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL

Welcome back! As we near the end of 2025, we are, of course, waiting for the next round of SSLVPN exploitation to occur in January (as it did in 2024 and 2025). Weeeeeeeee. Before then, we want to clear the decks and see how much research we can publish. This

More Than DoS (Progress Telerik UI for ASP.NET AJAX Unsafe Reflection CVE-2025-3600)

Welcome back. We’re excited to yet again publish memes under the guise of research and inevitably receive hate mail. But today, we’ll be doing something slightly different to normal. “Wow, watchTowr, will you actually be publishing useful information instead of memes?” Today, instead of pulling apart “just one”

Is This Bad? This Feels Bad. (Fortra GoAnywhere CVE-2025-10035)

File transfer used to be simple fun - fire up your favourite FTP client, log in to a glFTPd site, and you were done. Fast forward to 2025, and the same act requires a procurement team, a web interface, and a vendor proudly waving their Secure by Design pledge. Ever

You Already Have Our Personal Data, Take Our Phone Calls Too (FreePBX CVE-2025-57819)

We’re back - it’s a day, in a month, in a year - and once again, something has happened. In this week’s episode of “the Internet is made of string and there is literally no evidence to suggest otherwise”, we present even further evidence that as a

Cache Me If You Can (Sitecore Experience Platform Cache Poisoning to RCE)

What is the main purpose of a Content Management System (CMS)? We have to accept that when we ask such existential and philosophical questions, we’re also admitting that we have no idea and that there probably isn’t an easy answer (this is our excuse, and we’re sticking

Guess Who Would Be Stupid Enough To Rob The Same Vault Twice? Pre-Auth RCE Chains in Commvault

We’re back, and we’ve finished telling everyone that our name was on the back of Phrack!!!!1111 Whatever, nerds. Today, we're back to scheduled content. Like our friendly neighbourhood ransomware gangs and APT groups, we've continued to spend irrational amounts of time looking at

Is b For Backdoor? Pre-Auth RCE Chain In Sitecore Experience Platform

Welcome to June! We’re back—this time, we're exploring Sitecore’s Experience Platform (XP), demonstrating a pre-auth RCE chain that we reported to Sitecore in February 2025. We’ve spent a bit of time recently looking at CMS’s given the basic fact that they represent attractive

Expression Payloads Meet Mayhem - Ivanti EPMM Unauth RCE Chain (CVE-2025-4427 and CVE-2025-4428)

Keeping your ears to the ground and eyes wide open for the latest vulnerability news at watchTowr is a given. Despite rummaging through enterprise code looking for 0days on a daily basis, our interest was piqued this week when news of fresh vulnerabilities was announced in a close friend -

XSS To RCE By Abusing Custom File Handlers - Kentico Xperience CMS (CVE-2025-2748)

We know what you’re waiting for - this isn’t it. Today, we’re back with more tales of our adventures in Kentico’s Xperience CMS. Due to it’s wide usage, the type of solution, and the types of enterprises using this solution - any serious vulnerability, or

By Executive Order, We Are Banning Blacklists - Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120)

It’s us again! Once again, we hear the collective groans - but we're back and with yet another merciless pwnage of an inspired and clearly comprehensive RCE solution - no, wait, it's another vuln in yet another backup and replication solution.. While we would enjoy