PinnedSearching for Deserialization Protection Bypasses in Microsoft Exchange (CVE-2022–21969)This story begins with a series of fails, but why? That is because of my special relationship with the Microsoft Exchange codebase…Jan 12, 20222Jan 12, 20222
Bye Bye medium.comNo more medium.com in the future. I’ll publish my new blog posts here instead…see you there.May 24, 2022May 24, 2022
Pwning 3CX Phone Management Backends from the InternetAfter an unplanned journey with Microsoft Exchange the month before, I started to look for new interesting vulnerability research targets…Mar 30, 20222Mar 30, 20222
Another Zoho ManageEngine StoryThis is another white-box analysis story about a product from Zoho Corp (see my older blog post on OpManager SQLi). Since several critical…May 11, 20201May 11, 20201
Yet Another .NET deserializationThis is my second post on white-box analysis but for another technology stack and vulnerability category: .NET deserialization leading to…Dec 29, 2019Dec 29, 2019
Finding SQL injections fast with white-box analysis — a recent bug exampleOn September 13rd I submitted a bug for Zoho’s OpManager product. It was fixed quite fast by the development team and a new version 12.4…Oct 13, 20192Oct 13, 20192
