exploitintel blog

Security research, vulnerability analysis, and platform updates from the Exploit Intelligence Platform team. Deep dives into exploit trends, CVE intelligence, and the tools we build for the security community.

Latest Post
· 14 min read

CVE-2026-28391: OpenClaw Command Injection - The Day I Hacked Myself

CVE-2026-28391 is a CVSS 9.8 command injection in OpenClaw < 2026.2.2, caused by a POSIX vs cmd.exe shell-parsing mismatch. Our own suggestion algorithm ranked it as the most interesting CVEForge target. 8/8 bypass vectors confirmed, code execution verified. This is the story of the day our orchestration layer dispatched a full vulnerability assessment against itself.

cve-2026-28391openclawcveforgecommand-injectioncwe-78mcpaisecurity-researchexploit-intelshell-parsingposixwindowsresponsible-disclosureautonomous-exploitation
CVE-2026-28391: OpenClaw Command Injection - The Day I Hacked Myself
· 16 min read · EIP Team

Introducing FuzzForge: Autonomous Source-Code Fuzzing - Finding Bugs in nginx in 112 Minutes

We forked Shannon a third time. Seven AI agents, source code as the starting point, sanitizer-instrumented builds, and a pipeline that read 259 C files, built its own fuzzing harnesses, ran 18,000 iterations, and found a previously unknown FastCGI protocol desynchronization bug in nginx. Two hours. Twenty-five dollars.

fuzzforgeshannonmcpaifuzzingnginxfastcgisecurity-researchsource-code-analysissanitizerasanubsanautonomous-exploitationexploit-intelcode-reviewcwe-681
read more
Introducing FuzzForge: Autonomous Source-Code Fuzzing - Finding Bugs in nginx in 112 Minutes
· 28 min read · EIP Team

CVE-2025-68670 Part 2: From Crash to RCE - The One That Fought Back (and Lost)

The first post ended with 'not a shell.' This one ends with uid=0(root) - with an asterisk. Ten context windows. A UTF-8 encoding barrier that blocks every libc address. A PLT mapping that lied. A stack alignment problem solved by a NULL pointer and a filename that shouldn't exist. The story of how a pre-auth xrdp overflow became (almost) pure-network RCE - through the most absurd gadget chain we've ever built.

cve-2025-68670stackforgeshannonmcpaiexploit-developmentbinary-exploitationropxrdprdpsecurity-researchgdbpre-authdlopenutf-8stack-alignment
read more
CVE-2025-68670 Part 2: From Crash to RCE - The One That Fought Back (and Lost)
· 22 min read · EIP Team

CVE-2025-68670: Pre-Auth xrdp Overflow - The One Where the Protocol Fought Back

xrdp. Pre-authentication. A full RDP handshake implemented from scratch. UTF-8 encoding constraints that break your ROP chain. A false crash path that wasted hours. And a 3-byte partial overwrite technique that reaches any address in the binary. Stackforge's hardest target yet - and the most honest result.

cve-2025-68670stackforgeshannonmcpaiexploit-developmentbinary-exploitationropxrdprdpsecurity-researchgdbpre-auth
read more
CVE-2025-68670: Pre-Auth xrdp Overflow - The One Where the Protocol Fought Back
· 22 min read · EIP Team

CVE-2025-62507: Redis Stack Overflow to RCE in 68 Minutes - Then We Turned ASLR On

The only public exploit for CVE-2025-62507 is a crash PoC with a note: 'Still some way to go... another day.' Stackforge went from CVE number to verified RCE in 68 minutes. Then we enabled ASLR and ran it again. Two runs, one copy-paste bug, and the question of whether the first OpenSSL result was a fluke.

cve-2025-62507stackforgeshannonmcpaiexploit-developmentbinary-exploitationropredisrceaslrsecurity-researchgdb
read more
CVE-2025-62507: Redis Stack Overflow to RCE in 68 Minutes - Then We Turned ASLR On
· 18 min read · EIP Team

CVE-2025-15467: From OpenSSL Stack Overflow to Three ROP Chains in 64 Minutes - Introducing Stackforge

We forked Shannon again - this time for binary exploit development. Nine AI agents, GDB as an MCP tool, packet capture via SharkMCP, and a pipeline that turned an OpenSSL stack buffer overflow into three independent ROP chains with GDB-verified RCE. Eighty-five minutes. Twenty-five dollars. Here's how Stackforge works.

cve-2025-15467stackforgeshannonmcpaiexploit-developmentbinary-exploitationropopensslrcesecurity-researchgdbpwntoolssharkmcp
read more
CVE-2025-15467: From OpenSSL Stack Overflow to Three ROP Chains in 64 Minutes - Introducing Stackforge

Archive

CVE-2025-26866: From Undocumented Binary Protocol to Root Shell - AI Agent Meets Java Deserialization 26 min 72 Hours, 24 CVE Proof of Concept Exploits, and 8 Disclosure Submissions: The CVEForge Stress Test 14 min Foreman Command Injection and Telnetd Privilege Escalation - A Dropdown, a Blacklist, and Two Very Different Fixes 12 min CVE-2025-60355 (OneBlog): CVEForge Finds 3 Bypass/Incomplete Fixes in 5 CVE Runs 11 min Zero to RCE: Autonomous Exploit Development Across Three Vulnerability Classes 9 min CVE-2025-53833: Autonomous PoC Generation with CVEForge - From CVE Number to Root Shell in 32 Minutes 12 min CVE-2026-28296: From CRLF Injection PoC to Fix Bypass - One Prompt, One AI Agent 10 min Teaching an AI to Talk Exploits - Building a RAG Chatbot Over 370K CVEs 11 min Introducing the EIP MCP Server - Vulnerability Intelligence for AI Assistants 8 min eip-search - A Modern searchsploit for the Age of Exploit Intelligence 10 min Anatomy of a Trojan Exploit - How We Detect Backdoored PoCs with AI 12 min Building an Exploit Intelligence Platform from Scratch 12 min