NEWS > Research Blog

April 26, 2023
X41 Audited simplejson
X41 releases the audit report of simplejson
January 17, 2023
X41 Audited Git
X41 releases the audit report of Git
October 26, 2022
X41 Audited The Update Framework (TUF)
X41 releases the audit report of The Update Framework.
August 30, 2022
X41 Audited Backstage
X41 finished auditing the Backstage platform and releases the resulting report.
June 28, 2022
AnyZone - Delegated zones for every IP
AnyZone lets you easily get a delegated zone for testing purposes without touching zone files
June 14, 2022
Wrapping up Unikernel Security Research
As part of his master thesis Leonard Rapp analyzed the security of various popular unikernels. This blogpost is the last one in the unikernel series. It discusses some of the findings and draws a conclusion.
May 18, 2022
Missing or Weak Mitigations in Various Unikernels
Several security weaknesses and missing mitigations were discovered in various unikernel systems
March 31, 2022
Critical Vulnerabilities in Spring and Spring Cloud Function That Will Probably Make This Weekend Less Fun - Analysis and Overview
The popular Java Spring framework may be affected by multiple remote code execution (RCE) vulnerabilities.
March 09, 2022
RustyHermit Security Vulnerabilities & Missing Mitigations
The research unikernel RustHermit was further audited for security vulnerabilities and effectiveness of its mitigations.
January 18, 2022
Telenot Complex: Insecure AES Key Generation
CVE-2021-34600: How predictable random numbers (literally) open the door for attackers: Our discovery of a flaw in the generation of AES keys, used for both physical and remote access, in a popular alarm system's parameterization software. Includes a proof-of-concept for cloning NFC tags!
January 18, 2022
Advisory X41-2021-003: Telenot complex - Insecure AES Key Generation
The compasX parameterization software for complex alarm systems generated the AES keys used for both physical access control (via NFC tags) and remote management in an insecure fashion.
January 12, 2022
RustyHermit Missing Memory Protections
The research unikernel RustyHermit lacks of several memory protection mechanisms which significantly ease attacks on vulnerable applications
December 14, 2021
X41 D-Sec GmbH Thetanuts.Finance Public Security Review
X41 D-Sec GmbH ("X41") - a research driven IT-Security company - released a public audit report of the Thetanuts.Finance smart contracts.
May 25, 2021
nginx DNS Resolver Off-by-One Heap Write Vulnerability
An off-by-one error in ngx_resolver_copy() while processing DNS responses allows a network attacker to write a dot character ('.', 0x2E) out of bounds in a heap allocated buffer.
May 03, 2021
QR Code reconstruction
Reconstructing a QR Code from partially censored images.
January 28, 2021
Advisory X41-2021-001: Multiple Vulnerabilities in YARA
Luis Merino of X41 discovered multiple vulnerabilities in YARA
December 21, 2020
Microsoft Exchange Remote Code Execution - CVE-2020-16875
The patch for CVE-2020-16875 in Microsoft Exchange can bypassed to gain remote code execution again.
October 06, 2020
Pro-bono Pentests for COVID-19-related Apps & Software
COVID-19 pro-bono program finished
September 22, 2020
Decompressing Xamarin DLLs
Solving a small decompression challenge during an audit
July 15, 2020
bspatch strikes back
The tale of a forgotten bug in bspatch.
Background Image