We are nominated again for PortSwigger's "Top 10 Web Hacking Techniques" and we're even in with two entries for 2023: ➡️ Java Exploitation Restrictions in Modern JDK Times ➡️ JMX Exploitation Revisited ✍️ Vote now: portswigger.net/polls/top-10-w…

The specter of .NET Remoting haunts unsuspecting ASP. NET applications even today, whispering valid ObjRefs to those who dare listen. Dive into our latest post to see how these apparitions can lead to remote code execution: code-white.com/blog/leaking-o…

Just to clarify: you can make your ASP .NET web app vulnerable just by using Microsoft's Application Insights, DataDog, or similar diagnostics/monitoring/tracing facility that stores a MarshalByRefObject in the LocalCallContext.

Another clarification: The web app itself does not need to use .NET Remoting, the required handlers are registered by default. All you need is a MarshalByRefObject stored in the LogicCallContext when the exception gets serialized. The mentioned libraries provide that condition.

Still interested in leaking & exploiting ObjRefs in .NET Remoting? Have fun with our test bench, example p(l)ayloads and exploit script over at github.com/codewhitesec/H…

After reassessment by Security Response, this is now tracked as CVE-2024-29059.

Today, CODE WHITE turns 10 🥳 Over the past decade, we've hacked our way through 120+ large corporations' defenses, caused headaches for Blue Teams and disclosed numerous 0days to vendors. Proudly grown from a few motivated hackers in 2014 to an established team of 50+ today 💪

How time flies when you're having fun! 😄

So, this happens if you register with 'Ideagen Community' and ask for the preferred way of reporting vulnerabilities in Ideagen products ... 🙃

Another product, another deserialization vulnerability, another RCE from Markus Wulftange: Patch your Telerik Report Server (CVE-2024-6327 & CVE-2024-6096) code-white.com/public-vulnera…

Teaching the Old .NET Remoting New Exploitation Tricks – read how Markus Wulftange developed novel techniques to exploit Apache log4net's hardened .NET Remoting service: code-white.com/blog/teaching-…

BeanBeat has been aquired by Kurts Maultaschenfabrikle! You don't know what that means? Head over to apply-if-you-can.com to find out in challenges that, without exception, stem from real-world vulns #uncompromisingRealism #finestHacking

Using Telerik Reporting or Report Server? Patch now to fix 3 RCEs Markus Wulftange found (CVE-2024-8015, CVE-2024-8014, CVE-2024-8048). Telerik vulns have a history of being exploited by threat actors according to CISA Cyber Details at code-white.com/public-vulnera…

Finally had the chance to play my CodeDomSerializer gadget card. 😁

Ever wondered how Kurts Maultaschenfabrikle got hacked in 2023? The full story, all technical details, out now ;-) apply-if-you-can.com/walkthrough/20…

Our crew members Markus Wulftange & frycos discovered & responsibly disclosed several new RCE gadgets that bypass #Veeam's blacklist for CVE-2024-40711 & CVE-2025-23120 as well as further entry points following SinSinology & Piotr Bazydło's blog. Don’t blacklist, replace BinaryFormatter.

I'm getting confused keeping count of them, but we're almost at the double-digit mark! 😅

Yes, we're beating a dead horse. But that horse still runs in corporate networks - and quietly gives attackers the keys to the kingdom. We're publishing what’s long been exploitable. Time to talk about it. #DSM #Ivanti code-white.com/blog/ivanti-de…

We have reproduced "ToolShell", the unauthenticated exploit chain for CVE-2025-49706 + CVE-2025-49704 used by Khoa Dinh to pop SharePoint at #Pwn2Own Berlin 2025, it's really just one request! Kudos to Markus Wulftange

We've added a new demo to NewRemotingTricks that makes deploying a MarshalByRefObject (e.g., WebClient) even easier: System.Lazy<T> creates an instance of T on serialization, which is probably more likely to be allowed than a XAML gadget getting through. github.com/codewhitesec/N…