My and @testanull's analysis about ProxyShell Exploit peterjson.medium.com/reprodu…

Early this week, we had a meeting at Apple Park in Cupertino. While there, we also shared with Apple our latest vulnerability research report: the first public macOS kernel memory corruption exploit on M5 silicon, surviving MIE. It was laser printed, in honor of our hacker friends. Full story: open.substack.com/pub/calif/…

MAD Bugs: Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747) To our knowledge, this is the first remote kernel exploit both discovered and exploited by an AI. blog.calif.io/p/mad-bugs-cla…

We have some exciting news to share: @blacktop__ is joining Calif to work on a range of R&D projects focused on Apple and AI security. If you work in the Apple security ecosystem, he’s already a household name. He’s the creator of: * ipsw – the ubiquitous Apple firmware analysis tool: github.com/blacktop/ipsw * darwin-xnu-build – reproducible XNU kernel builds: github.com/blacktop/darwin-x… * ipsw-diffs – automated diffing of Apple releases: github.com/blacktop/ipsw-dif… * The only public deep-dive on Apple’s Lockdown Mode: github.com/blacktop/presenta… His tooling is so good that even Apple engineers use it. If you do reverse engineering, chances are you’ve touched his Rust headless IDA MCP server: github.com/blacktop/ida-mcp-…. People have literally collected CVEs and bug bounties just by digging through the diffs produced by his tools. With @brucedang, @Little_34306 and now @blacktop__, we're building a serious Apple security force at Calif. We’ll have more announcements in this space soon! If you're interested in Apple security, AI, automated bug discovery, reverse engineering, or hacking, we’re hiring: calif.io/jobs.

A Race Within A Race: Exploiting CVE-2025-38617 in Linux Packet Sockets. A step-by-step guide to exploiting a 20-year-old bug in the Linux kernel to achieve full privilege escalation and container escape, plus a cool bug-hunting heuristic. open.substack.com/pub/calif/…

We hacked the AWS JavaScript SDK, a core library powering the entire @AWScloud ecosystem - including the AWS Console itself 🤯 How did we do it? Just two missing characters was all it took. This is the story of #CodeBreach 🧵👇

“Vibe Hacking”: Abusing Developer Trust in Cursor and VS Code Remote Development blog.calif.io/p/vibe-hacking…

If you can motivate yourself to spend 8 hours a day, 5 days a week to read through: - Atlassian - Jira - Slack - GitHub - Other internal SaaS applications without guaranteed results, you'll be an amazing red teamer.

Submitted this bug to ZDI a long time ago, but they weren’t interested 🥲. Later sent to Oracle, marked dup of CVE-2023-22047. CVSS 7.5 but leads to unauth RCE. Fortunately, some big programs accepted it. Check exploit here : github.com/tuo4n8/CVE-2023-2… #BugBounty #InfoSec #Oracle

Wormable Substack XSS: blog.calif.io/p/wormable-sub… It must have been years since the last time a wormable XSS was found in a major social media website. This beautiful type confusion XSS attack vector is a gift that keeps on giving. But most of all, @samykamkar is our hero!

Type confusion attacks in ProseMirror editors blog.calif.io/p/type-confusi…

New blog post: in a recent engagement, we turned a simple XSRF in Argo CD to a shell with cluster admin privileges. No fix is available. We recommend hosting Argo CD on an isolated domain. Details: blog.calif.io/p/argo-cd-csrf

CVE-2023-49105 WebDAV Api Authentication Bypass using Pre-Signed URLs POC Lazy coder ChatGPT => nocode cc @vigov5 github.com/0xfed/ownedcloud

If you use cert-manager.io in AWS EKS, be aware of a privesc vector that leads to full cluster compromise. We recommend revoking pod creation permission and switching to domain verification using DNS. See the update at the end of this blog post: blog.calif.io/p/privilege-es…

Pretty cool testimonial from @AnthropicAI. If you're into hacking AI models, we're hiring! docs.google.com/document/d/1…

Calif US Offsite Summer 2023

In a recent engagement, we encountered a target running CraftCMS, and discovered a Remote Code Execution vulnerability that allowed us to compromise the target. blog.calif.io/p/craftcms-rce CC @yeuchimse

Reproducing CVE-2023-38646: Metabase Pre-auth RCE blog.calif.io/p/reproducing-… CC @peterjson @testanull

Creating a cluster in GKE: gcloud container clusters create sample-cluster Creating a cluster in EKS: oh sweet summer child...

One of the best way to compromise entire infrastructure

We published a post that takes a deep dive into EKS IAM mechanisms, and techniques to pivot from compromised Kubernetes workloads to an AWS account securitylabs.datadoghq.com/a…