Intro We discovered and developed an exploit for a pre-authentication remote code execution vulnerability in IBM i Management Central (MGTC). The vulnerability allows an unauthenticated attacker to execute arbitrary CL commands as QSECOFR – the root-equivalent profile on IBM i – by abusing the MGTC packet protocol on port 5555....
2026-06-05 — 13 minute readIntro At the end of last year and the beginning of this one, I focused on IBM i library list (LIBL) based privilege escalation vulnerabilities — a subtle but critical class of issues that can quietly undermine the security of both the core operating system and 3rd party applications. While...
2025-10-22 — 5 minute readIntro At TROOPERS24, we demonstrated how IBM i systems – still widely used in enterprise environments – can be compromised in both authenticated and unauthenticated scenarios, using only built-in services and a basic understanding of the underlying mechanisms. Despite being labeled “legacy,” these systems remain active in finance, logistics, and...
2025-09-04 — 8 minute readThis blogpost describes our journey through discovering CVE-2024-28080, an authentication bypass vulnerability in Gitblit, “an open-source, pure Java stack for managing, viewing, and serving Git repositories”. The vulnerability affects the SSH service and can only be exploited for users that have at least one public key assigned to their account....
2025-08-29 — 13 minute readAs part of our ongoing research of the IBM i platform we monitor news and updates related to the platform. Two weeks ago IBM published a support article about a compatibility issue affecting IBM i Access Client Solutions (ACS) when running on Windows 11 24H2. The “no man’s land” between...
2025-01-21 — 13 minute readIn 2015, we published a blog post about the recruitment challenges we devised for candidates who’d like to join our pentester team. The post got much attention, with supportive comments and criticism as well. Learning from this experience, we created a completely new challenge that we’re retiring today, and we’d...
2025-01-14 — 19 minute readThis is a blog post by Erik Szinai, who worked with us as an intern during the last couple of months. We hope our readers will find his contribution to the Burp Suite ecosystem useful! Burp usually excels in automatically detecting arbitrarily nested structures, encodings and datatypes found in HTTP...
2024-12-06 — 10 minute readThere aren’t too many professions in IT that makes professionals learn so many different technologies as pentesting does: one week you are neck-deep in Windows AD, the other you are trying to make sense of some custom thick client protocol in Wireshark, while you are running some webapp scans in...
2024-10-27 — 13 minute read