Cyberis Blog

Reassuringly clear thinking.

  • Penetration testing
  • Research
  • Tools and techniques

When project files become instructions: AI agents, CI pipelines and the new attack surface

AI agents now read repository files, skills, plugins and CI context as part of normal operation, which creates new attack paths across local development and automated workflows. This blog explains how those instruction channels work, why they matter from a security perspective, and what organisations should do to manage the risk before unsafe patterns become normalised.

Read more
  • News
  • Penetration testing
  • Red teaming
  • Research
  • Tools and techniques

One Identity Secure Password Extension Privilege Escalation (CVE-2025-27582)

Cyberis has discovered a local privilege escalation (LPE) vulnerability - CVE-2025-27582 - in One Identity Secure Password Extension x64 v5.14.3.1, a component of One Identity Password Manager. By abusing the Password Self-Service feature available on the Windows lock screen, an attacker can bypass security restrictions, launch a SYSTEM-privileged print dialog, and ultimately gain a SYSTEM shell. This vulnerability requires only local access and is trivially exploitable in environments where this software is deployed. An attacker can escalate to SYSTEM directly from the logon screen—without requiring valid credentials.

Read more
  • Detect and respond
  • Red teaming
  • Research

Microsoft Bookings – Facilitating Impersonation

Microsoft Bookings introduces a significant security risk by allowing end users to create fully functional Entra accounts without administrative oversight. These accounts, tied to shared Booking pages, can be exploited for impersonation, phishing, and email hijacking. Attackers could leverage this functionality to bypass security measures, gain unauthorised access to sensitive resources, and facilitate lateral movement within an organisation. Our blog explores these weaknesses in detail and provides recommendations for detection and mitigation.

Read more
  • Penetration testing
  • Research
  • Tools and techniques

Bypassing IP based brute force protection with IPv6

Brute-force protections – designed to protect against attacks like password guessing – need to be carefully pitched and have associated pros and cons. Many popular protections these days rely upon monitoring and blocking malicious activity based on source IP address. In this blog post, we explore using IPv6 temporary addressing to bypass IP based brute-force protection.

Read more
  • Cloud risk management
  • Research
  • Tools and techniques

Intune hacking: when is a "wipe" not a wipe

In this blog post we explore privilege escalation to SYSTEM with Intune managed devices, and how an Intune "Wipe" is not really a wipe at all.

Read more
  • Research

CVE-2021-20047: DLL Search Order Hijacking Vulnerability

When looking for methods of execution in controlled environments, software components are an essential area of review. With the implementation of controls such as AppLocker, running arbitrary executables becomes more difficult. In most environments we test, AppLocker is now a common configuration implementation which serves to reduce the attack surface by defining the permitted locations an executable is allowed to run from.

Read more
  • Research

Let's Talk Quantum Cryptography Pt 2

When testing these types of systems, vulnerabilities can be broken down into two broad classes: Inherent flaws – These occur when an assumption made during the creation of a protocol doesn’t hold to be true, a new mathematical technique for example may break the security of the protocol. An example of a protocol with inherent flaws would be SSLv3. Implementation flaws – These occur because physical systems aren’t perfect, nor is our adaptation of theoretical principles to physical mediums. Where these imperfections exist so does the potential for exploitation. Today we’ll be looking at some implementation flaws, but to begin let’s have a think about the set-up Alice and Bob will need to carry out the steps of the BB84 protocol.

Read more
  • News
  • Research

Domain Hijacking Via Logic Error - Gandi And Route 53 Vulnerability

On 12 February 2021, Cyberis identified a weakness in the domain transfer processes of Gandi which allowed any Nominet registry domain (including .co.uk and org.uk domains) registered with Gandi to be transferred out of the owner’s control and into the control of an arbitrary AWS Route 53 account, without any authorisation being provided by the owner of the domain. 

Read more

Improve your security

Our experienced team will identify and address your most critical information security concerns.

Contact us About Cyberis