TL;DR Introduction It’s been a while since I wrote a “Vulnerabilities that (mostly) aren’t” post, but a recent discussion in our pen testing teams brought about a change in how we’re reporting LUCKY13 (and potentially other TLS vulnerabilities), leading me to revisit this vulnerability. What is it? The LUCKY13 attack was a vulnerability and tied […]| Pen Test Partners
I’ve covered a couple of web vulnerabilities that (mostly) aren’t, and now it’s time for a Windows specific one. A common finding from build reviews and CIS comparisons: unquoted spaces in service or run paths. What is it? Windows has always been inconsistent in how its API handles uncommon characters in paths. Unlike *ix it […]| Pen Test Partners
This time we’re looking at the ETag (Entity Tag) header. I take some of the blame for this one as I first added a dissector of the header to Nikto’s headers plugin back in 2008, then other scanners added it. What Is It? The header is a simplistic method of helping the user-agent identify whether […]| Pen Test Partners
This is the first of my posts that explain why some common security vulnerabilities are most likely not real threats. They should be treated as security enhancements rather than vulnerabilities. Bearing in mind the number of scanning tools that rate such vulnerabilities as “high” it’s no wonder people make the mistake of reporting them. It’s […]| Pen Test Partners
Pen Test Partners provides cyber security consulting and testing to a huge variety of industries and organisations. With offices in the US and UK, we're never too far away.| Pen Test Partners
The UK Cyber Security and Resilience Bill (CS&R) was announced last year in the King’s Speech. It addresses gaps in current regulation, like NIS, with a broad scope, enhanced incident reporting requirements, and highlights the importance of supply chains in security.| Pen Test Partners
Artificial intelligence (AI) and machine learning (ML) features are being implemented on devices. They could allow the leakage of information through accidental interaction. They can cause a security control to change its attack surface and risk score.| Pen Test Partners
When we planned PTP Cyber Fest, we set out to create something different from the usual cybersecurity events. After two busy days, we can proudly say the event delivered exactly what we hoped for and more.| Pen Test Partners
Consilium Salwico CS5000 Fire Panel vulnerability advisory. CVE-2025-46352 – Default Account & CVE-2025-41438 – Hardcoded VNC Credentials| Pen Test Partners
TL;DR Introduction In certain circumstances it can be challenging installing client applications for testing. Situations arise where the application could be provided unsigned or requires self-signing. As a result, the application cannot be directly provisioned to the device. Installing the application can be challenging without access to a MacBook and Xcode or if the client […]| Pen Test Partners
Introduction Over the years we have been fortunate to have been called upon to help with some challenging investigations. iPhone prize scams, ransomware attacks that weren’t, aiding the Steele Dossier case, and even a fraudulent €14 million transfer. Here we’ve picked out the most interesting ones, showing what our DFIR team can do, and continues […]| Pen Test Partners
TL;DR Introduction SharePoint is a Microsoft platform that enables collaborative working and information sharing. This done with team sites. They work like regular intranet pages with graphics and text, but they also give you places to store and manage your files. Notably, when files and images are shared on Microsoft Teams, SharePoint automatically creates a […]| Pen Test Partners
TL;DR Introduction On a recent Red Team engagement we got Domain Admin privileges on the on-premises Active Directory (AD) network. But we had not yet gained access to their cloud estate, which was hosted in Azure. Our level of access to on-prem AD gave us access to a large number of resources, many containing sensitive […]| Pen Test Partners
Back at the start of October, we had a call from the BBC asking if we could help unpick a fraud. The victim had been defrauded of ~£12,000 through a rogue bank transfer and mentioned that her Android mobile phone had been behaving oddly. Of course we would help; who wouldn’t be up for the| www.pentestpartners.com