Vulnerability Analysis
In-depth guides and analysis on vulnerability analysis from the Safeguard engineering team.
568 articles
The XZ Utils Backdoor (CVE-2024-3094) Explained: A Near-Miss Supply Chain Catastrophe
CVE-2024-3094 was a deliberately planted backdoor in xz-utils 5.6.0/5.6.1 targeting sshd. It was caught by a 500ms delay one engineer refused to ignore. Here is how the attack worked.
Cisco IOS XE CVE-2023-20198 Explained: The Web UI Privilege Escalation Zero-Day
CVE-2023-20198 is an unauthenticated privilege escalation in the Cisco IOS XE Web UI, rated CVSS 10.0, that let attackers implant tens of thousands of devices in days. Here is how it worked and how to remediate.
Drupalgeddon2 (CVE-2018-7600) Explained: Drupal's Form API RCE
CVE-2018-7600, known as Drupalgeddon2, is a CVSS 9.8 unauthenticated remote code execution flaw in Drupal core's Form API. Here is how the renderable-array bug works and which versions to run.
Jackson-databind Polymorphic Deserialization Gadget (CVE-2019-12384) Explained
CVE-2019-12384 chained a logback gadget with H2's RUNSCRIPT to turn default typing into code execution. Here's the mechanism, the classpath caveat, and how to fix it for good.
PrintNightmare (CVE-2021-34527) Explained: When the Windows Print Spooler Ran Code as SYSTEM
CVE-2021-34527, PrintNightmare, let an authenticated attacker load a malicious printer driver through the Windows Print Spooler and execute code as SYSTEM — locally or across a domain.
WebP (CVE-2023-4863) Explained: The libwebp Heap Overflow That Patched the Web
CVE-2023-4863 was an actively exploited heap buffer overflow in libwebp's Huffman decoder. Because the codec is vendored everywhere, one bug forced emergency patches across browsers and apps.
GitHub Advisory Database: 30,000+ curated advisories beyo...
GitHub's Advisory Database curates 30,000+ entries beyond raw CVE data. Here's what it actually covers, where GHAS inherits its limits, and where correlation across sources closes the gaps.
Apache Struts (CVE-2017-5638) Explained: The OGNL Header That Breached Equifax
CVE-2017-5638 let attackers run commands on Apache Struts 2 servers through a crafted Content-Type header. It is the unpatched flaw behind the Equifax breach. Here is the OGNL mechanism.
BlueKeep (CVE-2019-0708) Explained: The Wormable RDP Vulnerability
CVE-2019-0708, known as BlueKeep, is a pre-authentication use-after-free in Windows Remote Desktop Services rated CVSS 9.8. Here is how it works and why Microsoft patched Windows XP to fix it.
PaperCut CVE-2023-27350 Explained: Auth Bypass to Unauthenticated RCE
CVE-2023-27350 is an authentication bypass in PaperCut MF and NG that hands an attacker admin access and remote code execution, rated CVSS 9.8. Here is the timeline, root cause, and how to remediate.
ProxyShell (CVE-2021-34473) Explained: The Exchange Path Confusion Behind a Pre-Auth RCE Chain
CVE-2021-34473 is the path-confusion flaw at the head of ProxyShell — a three-bug Microsoft Exchange chain that took unauthenticated attackers all the way to remote code execution.
Zerologon: The Netlogon Cryptographic Flaw (CVE-2020-1472) Explained
CVE-2020-1472 let an unauthenticated attacker seize a domain controller in seconds by exploiting an all-zero AES-CFB8 initialization vector. Here's the real mechanism and the fix.