Our employees frequently engage in research projects to live up to the high standard. They analyze the latest topics, methods and tools in interesting information security areas and prepare them in this context. The results of these activities contribute, for example, to projects, lectures at conferences, market overviews and articles for technical journals as well in advisories and zero-day vulnerabilities.
June 10, 2026 – Host header fuzzing stops at the HTTP layer and can’t find services hardened at the TLS handshake via SNI validation. SNItch fills that gap by fuzzing the SNI field directly – and doubles as a tool to verify your own servers don’t leak hostnames to IP-based reconnaissance.
Author: Felix Friedberger
May 20, 2026 – In March 2026, cirosec identified an ongoing malware campaign targeting developers, IT professionals, and power users who rely on popular open-source and productivity tools. The campaign is only accessible using the Bing search engine. Once executed, the malware exfiltrates browser credential stores, cryptocurrency wallet data, authentication tokens, VPN and SSH configurations, and sensitive documents.
Author: Colin Glätzer, Konrad Weyhing, Felix Friedberger
11. Mai 2026 – Eine kurze Zusammenfassung unseres Vortrags bei den cirosec-TrendTagen zu Pentesting, Assumed Breach, Red Teaming, TLPT & Co.
Author: Michael Brügge
May 5, 2026 – Today a single malicious container image could be enough to take over a larger fleet of machines and grant an attacker control over confidentiality, integrity and availability of all the workloads running in a Kubernetes cluster and potentially beyond, since clusters often hold secrets and credentials for external services and infrastructure. In this article we outline a set of key security domains that organizations should address to secure Kubernetes effectively.
Author: Christoffer Albrecht
April 14, 2026 – This article focuses exclusively on penetration testing applications that use off-the-shelf LLM models through inference APIs.
Author: Felix Friedberger
March 24, 2026 – Entra ID und Azure sind ein eigener Kosmos, der viele Möglichkeiten aber auch viele Stolperfallen hinsichtlich der Sicherheit mit sich bringt. Entra ID und Azure sicher zu betreiben, ist eine Kunst für sich und stellt viele IT-Abteilungen vor große Herausforderungen. In diesem Blogpost soll es darum gehen, wie man diesem Problem Herr werden kann.
Author: Constantin Wenz
July 21, 2025 – Journey is a journaling app for iOS that stores personal entries and media.
July 21, 2025 – Journey is a journaling app for iOS that stores personal entries and media.
May 15, 2025 – An improper access control vulnerability was identified in the file download functionality.
May 15, 2025 – A path traversal vulnerability in the file download functionality was identified.
February 17, 2025 – MobaXterm is a toolbox for remote computing.
January 8, 2025 – Our colleagues Frederik Reiter and Jan-Luca Gruber found a vulnerability in the Damage Cleanup Engine of Trend Micro Apex One, which allows and attacker to delete a folder with high privileges. This can be leveraged to escalate privileges in the context of SYSTEM.
cirosec conducts vulnerability research into products and services, which at times results in zero-day vulnerabilities being discovered.
cirosec follows a responsible disclosure policy when dealing with zero-day vulnerabilities found during research or customer projects. The goal is to balance the need of giving the vendor or open-source project enough time to develop and distribute a fix for the vulnerability with the need of the public to know about the security vulnerability. The policy is in accordance with industry-standard responsible disclosure practices. Our responsible disclosure policy can be found here.
Below is a list of CVEs vulnerabilities identified or assigned by cirosec and presented here for reference and cataloguing.
| Vulnerability | CVE | CVSS Score | Publication Date | More Details |
| Vulnerability in Two App Studio Journey | CVE-2025-41459 | 7.8 (CVSS v3.1) | July 21, 2025 | Advisory |
| Vulnerability in Two App Studio Journey | CVE-2025-41458 | 5.5 (CVSS v3.1) | July 21, 2025 | Advisory |
| Vulnerability in SYNCPILOT LIVE CONTRACT | CVE-2025-2306 | 5.9 (CVSS v3.1) | May 15, 2025 | Advisory |
| Vulnerability in SYNCPILOT LIVE CONTRACT | CVE-2025-2305 | 8.6 (CVSS v3.1) | May 15, 2025 | Advisory |
| Vulnerability in Elaborate Bytes Virtual Clone Drive [ext] | CVE-2025-1865 | 7.8 (CVSS v3.1) | April 4, 2025 | Changelog |
| Vulnerability in Mobatek MobaXterm | CVE-2025-0714 | 6.5 (CVSS v3.1) | February 17, 2025 | Advisory |
| Vulnerability in Intel AMT | CVE-2024-38307 | 7.7 (CVSS v3.1) | February 11, 2025 | Intel |
| Vulnerability in G DATA Management Server [ext] | CVE-2025-0542 | 7.8 (CVSS v3.1) | January 24, 2025 | Advisory |
| Vulnerability in G DATA Security Client [ext] | CVE-2025-0543 | 7.8 (CVSS v3.1) | January 24, 2025 | Advisory |
| Vulnerability in Trend Micro Apex One | CVE-2024-55631 | 7.8 (CVSS v3.1) | January 8, 2025 | Advisory, Trend Micro |
| Vulnerability in HP Hotkey Support | CVE-2024-27458 | 8.8 (CVSS v3.1) | October 4, 2024 | Advisory, HP |
| Vulnerability in AVG Internet Security | CVE-2024-6510 | 7.8 (CVSS v3.1) | September 12, 2024 | Advisory |
| Vulnerability in Overwolf | CVE-2024-7834 | 7.8 (CVSS v3.1) | September 4, 2024 | Advisory |
| Vulnerability in baramundi Management Agent | CVE-2024-6689 | 7.8 (CVSS v3.1) | July 15, 2024 | Advisory, baramundi |
| Vulnerability in Trend Micro Apex One | CVE-2024-36302 | 7.8 (CVSS v3.1) | July 1, 2024 | ZDI-Advisory, Trend Micro |
| Vulnerability in Checkpoint Harmony | CVE-2024-24912 | 7.8 (CVSS v3.1) | May 1, 2024 | Advisory, Checkpoint |
| Vulnerability in Webroot Antivirus | CVE-2023-7241 | 7.8 (CVSS v3.1) | May 1, 2024 | Advisory, Webroot |
| Vulnerability in Bitdefender | CVE-2023-6154 | 7.8 (CVSS v3.1) | April 1, 2024 | Advisory, Bitdefender |
| Vulnerability in neo42 Sumatra PDF Package | 7.8 (CVSS v3.1) | November 7, 2023 | Advisory | |
| Vulnerability in Bytello Share | 7.8 (CVSS v3.1) | November 6, 2023 | Advisory | |
| Vulnerability in Kiteworks OwnCloud | CVE-2023-7273 | 6.8 (CVSS v3.1) | November 4, 2023 | Advisory |
| Vulnerability in VMware Workstation | CVE-2023-20854 | 7.8 (CVSS v3.1) | February 3, 2023 | Advisory, VMware |
| Vulnerability in Remote Access Software from RealVNC | CVE-2022-41975 | 7.8 (CVSS v3.1) | September 30, 2022 | Advisory, RealVNC |
| Title | Author | Publication Date | Category |
| Fuzzing vhosts with SNI(tch) | Felix Friedberger | June 10, 2026 | Pentesting |
| Analysis of a credential-stealer malware campaign – Part 1 | C. Glätzer, K. Weyhing, F. Friedberger | May 20, 2026 | Forensic |
| Reifegrad für Sicherheitsüberprüfungen | Michael Brügge | May 11, 2026 | Pentesting |
| The seven seas of Kubernetes security | Christoffer Albrecht | May 5, 2026 | Kubernetes |
| Penetration Testing LLM Web Apps: Common Pitfalls | Felix Friedberger | April 14, 2026 | Pentesting |
| Auditieren von M365 und Azure | Constantin Wenz | March 24, 2026 | Azure, EntraID |
| How Attackers Abuse Bubbleapps.io to Phish German Businesses | Felix Friedberger | February 10, 2026 | Forensic |
| Windows Instrumentation Callbacks – Part 4 | Lino Facco | February 10, 2026 | Red Teaming, Reverse Engineering, Windows |
| Windows Instrumentation Callbacks – Part 3 | Lino Facco | January 28, 2026 | Red Teaming, Reverse Engineering, Windows |
| Die neue i-Kfz-App für den digitalen Fahrzeugschein | Julian Lemmerich | December 3, 2025 | Digitalization, Identity, Mobile Security |
| Beacon Object Files for Mythic – Part 2 | Leon Schmidt | November 27, 2025 | Red Teaming, Command-And-Control |
| A collection of Shai-Hulud 2.0 IoCs | Niklas Vömel & Felix Friedberger | November 27, 2025 | Forensic, Incident Handling |
| Beacon Object Files for Mythic – Part 1 | Leon Schmidt | November 19, 2025 | Red Teaming, Command-And-Control |
| Windows Instrumentation Callback – Part 2 | Lino Facco | November 12, 2025 | Red Teaming, Reverse Engineering, Windows |
| Windows Instrumentation Callbacks – Part 1 | Lino Facco | November 5, 2025 | Red Teaming, Reverse Engineering, Windows |
| IOCs of the npm crypto stealer supply chain incident | Niklas Vömel | September 25, 2025 | Forensic, Incident Handling |
| Effektive Governance-Strategien im Red Teaming | Hannes Allmann | June 30, 2025 | Red Teaming |
| The Key to COMpromise – Part 4 | Alain Rödel and Kolja Grassmann | February 26, 2025 | Red Teaming |
| The Key to COMpromise – Part 3 | Alain Rödel and Kolja Grassmann | February 12, 2025 | Red Teaming |
| The Key to COMpromise – Part 2 | Alain Rödel and Kolja Grassmann | January 15, 2025 | Red Teaming |
| TLPT: Bedrohungsorientierte Penetrationstests nach DORA | Michael Brügge | January 24, 2025 | Red Teaming |
| The Key to COMpromise Part 1 | Alain Rödel and Kolja Grassmann | January 15, 2025 | Red Teaming |
| Wer hat das Elster-Zertifikat weitergegeben? | Benjamin Häublein | December 3, 2024 | Identity |
| Google DoC2 | Frederik Reiter | November 7, 2024 | Command-and-Control, Red Teaming |
| Abusing Microsoft Warbird for Shellcode Execution | Jan-Luca Gruber & Frederik Reiter | November 7, 2024 | Red Teaming, Reverse Engineering, Windows |
| Inside the NAC Pi | Leon Schmidt | July 5, 2024 | Red Teaming |
| Loader Dev. 5 – Loading our payload | Kolja Grassmann | May 10, 2024 | Red Teaming |
| Loader Dev. 4 – AMSI and ETW | Kolja Grassmann | April 30, 2024 | Red Teaming |
| Loader Dev. 3 – Evading userspace hooks | Kolja Grassmann | April 10, 2024 | Red Teaming |
| Loader Dev. 2 – Dynamically resolving functions | Kolja Grassmann | March 10, 2024 | Red Teaming |
| Loader Dev. 1 – Basics | Kolja Grassmann | February 10, 2024 | Red Teaming |
| Microsoft Tiering Model – Part 3/3 | Hagen Molzer | January 10, 2024 | AD Security |
| Microsoft Tiering Model – Part 2/3 | Hagen Molzer | December 10, 2023 | AD Security |
| Microsoft Tiering Model – Part 1/3 | Hagen Molzer | November 10, 2023 | AD Security |
