https://exploit-intel.com/blog/Recent content in Blog on Exploit Intelligence Platform - BlogHugoen-usSun, 17 May 2026 10:48:28 -0400https://exploit-intel.com/blog/posts/cve-2026-41702-vmware-fusion-cnxtmp-symlink-race/Sun, 17 May 2026 10:31:46 -0400https://exploit-intel.com/blog/posts/cve-2026-41702-vmware-fusion-cnxtmp-symlink-race/A TOCTOU race in VMware Fusion 25's vmx-apple binary that turns booting a VM into arbitrary chown, then arbitrary chown into a passwordless root shell via PAM injection. World-writable sticky directory, SUID-root callee, bind() and chown() both following symlinks, a 5-15 microsecond window between them. Full LPE chain in 40 seconds, single VM boot. The interesting part is what made it reliable.https://exploit-intel.com/blog/posts/hermes-vulnerability-research-assistant/Wed, 13 May 2026 12:00:00 -0400https://exploit-intel.com/blog/posts/hermes-vulnerability-research-assistant/Hermes Agent with the EIP Harness: a conversational AI vulnerability research assistant that runs full CVE pipelines while you stay in the loop. Built on Nous Research's Hermes. Showcase: a GitLab runner-token leak chained to RCE (CVE-2022-0735), a neatvnc pre-auth stack overflow (CVE-2026-42859), and a KEV-listed Everest Forms PHP Object Injection (CVE-2026-3296), all end to end. Our first public release of EIP CVE pipeline craft, plus win11-forge for Windows kernel and usermode lab orchestration.https://exploit-intel.com/blog/posts/cve-2026-41940-cpanel-whm-auth-bypass/Fri, 01 May 2026 12:00:00 -0400https://exploit-intel.com/blog/posts/cve-2026-41940-cpanel-whm-auth-bypass/CVE-2026-41940: a CRLF session-injection in cPanel & WHM that turns six unauthenticated HTTP requests into root SSH. Source-level walkthrough and audit.https://exploit-intel.com/blog/posts/eip-stix-taxii-exploit-intelligence-for-your-stack/Wed, 29 Apr 2026 00:00:00 +0000https://exploit-intel.com/blog/posts/eip-stix-taxii-exploit-intelligence-for-your-stack/EIP now exports CVE and exploit context as STIX 2.1 and serves a native TAXII 2.1 feed for SIEMs, TIPs, OpenCTI, Splunk ES, and Python pipelines.https://exploit-intel.com/blog/posts/cve-2026-35414-openssh-three-bugs-one-commit/Fri, 03 Apr 2026 08:00:00 -0400https://exploit-intel.com/blog/posts/cve-2026-35414-openssh-three-bugs-one-commit/CVE-2026-35414 is a certificate principal matching bypass in OpenSSH before 10.3. The advisory says one bug. We found three - a comma-splitting misuse, an empty-principals wildcard, and a reversed match_pattern call - all hiding in the same commit. Two are independently exploitable for authentication bypass. We built working PoCs for both, then kept reading and found two more undocumented issues: a PermitListen bypass via Unix socket forwarding and a KRL revocation gap for serial-zero certificates.https://exploit-intel.com/blog/posts/wp-google-map-plugin/Sun, 29 Mar 2026 00:00:00 -0400https://exploit-intel.com/blog/posts/wp-google-map-plugin/Line 781 says $query_to_run is safe. It isn't. An autonomous pipeline found a CVSS 9.8 unauthenticated SQL injection in WP Google Map Plugin v4.9.1 -- a three-link chain of individually harmless components that, together, give any visitor full database access. Then we kept reading and found the plugin deserializes update-check responses from an external server with maybe_unserialize(). 200,000+ active installs. 35 minutes. $8.97.https://exploit-intel.com/blog/posts/cve-2026-24289-winforge-kernel-iocp-race-condition/Mon, 16 Mar 2026 18:00:00 -0400https://exploit-intel.com/blog/posts/cve-2026-24289-winforge-kernel-iocp-race-condition/WinForge's maiden voyage: a brand new pipeline module - QEMU VMs instead of Docker, WinDbg instead of GDB, binary diffing instead of source - pointed at a use-after-free in ntoskrnl.exe. 363 functions changed between builds, 8 needles in the haystack, and a PoC that ran 500,000 iterations without crashing. Because that was the point.https://exploit-intel.com/blog/posts/cve-2026-3910-v8-maglev-autonomous-exploit/Mon, 16 Mar 2026 12:00:00 -0400https://exploit-intel.com/blog/posts/cve-2026-3910-v8-maglev-autonomous-exploit/A V8 Maglev JIT bug exploited in the wild by state actors. An autonomous pipeline that found it, exploited it in seven attempts, then bypassed both fixes -- in 75 minutes for $14.38. The compiler said it was a Smi. It wasn't.https://exploit-intel.com/blog/posts/six-ai-agents-one-security-company-the-paperclip-experiment/Mon, 16 Mar 2026 12:00:00 -0400https://exploit-intel.com/blog/posts/six-ai-agents-one-security-company-the-paperclip-experiment/We used Paperclip AI to stand up a six-agent AI company that now runs our exploit research pipeline almost entirely on autopilot - CVE candidate selection, forge dispatch, results collection, and SEO all managed autonomously. A CEO, a security researcher, a software engineer, a QA reviewer, a research intern, and a pipeline operator - all AI agents. They refactored four codebases into a clean monorepo, hardened the security, and built the MCP tools that now let the whole chain run without us touching a terminal. Four days, 135 issues, $180. The $1.38 QA agent found a bypass in the $115 engineer's security fix. This is the full story of the Paperclip AI experiment.https://exploit-intel.com/blog/posts/cve-2026-4105-systemd-machined-privilege-escalation/Fri, 13 Mar 2026 22:00:00 -0400https://exploit-intel.com/blog/posts/cve-2026-4105-systemd-machined-privilege-escalation/CVE-2026-4105 dropped this morning - local privilege escalation to root on desktop Linux via systemd-machined. Two D-Bus calls, no authentication. We fed it to CVEForge before the advisory was an hour old. Seventy-two minutes later: confirmed exploit, Docker labs for vulnerable and patched builds, and a bypass proving the vendor's fix is incomplete. The analysis agent said the fix was thorough. The bypass agent proved it wrong.https://exploit-intel.com/blog/posts/cve-2026-28391-openclaw-command-injection-the-day-i-hacked-myself/Mon, 09 Mar 2026 12:00:00 -0400https://exploit-intel.com/blog/posts/cve-2026-28391-openclaw-command-injection-the-day-i-hacked-myself/CVE-2026-28391 is a CVSS 9.8 command injection in OpenClaw < 2026.2.2, caused by a POSIX vs cmd.exe shell-parsing mismatch. Our own suggestion algorithm ranked it as the most interesting CVEForge target. 8/8 bypass vectors confirmed, code execution verified. This is the story of the day our orchestration layer dispatched a full vulnerability assessment against itself.https://exploit-intel.com/blog/posts/introducing-fuzzforge-autonomous-source-fuzzing-nginx/Sun, 08 Mar 2026 12:00:00 -0400https://exploit-intel.com/blog/posts/introducing-fuzzforge-autonomous-source-fuzzing-nginx/We forked Shannon a third time. Seven AI agents, source code as the starting point, sanitizer-instrumented builds, and a pipeline that read 259 C files, built its own fuzzing harnesses, ran 18,000 iterations, and found a previously unknown FastCGI protocol desynchronization bug in nginx. Two hours. Twenty-five dollars.https://exploit-intel.com/blog/posts/cve-2025-68670-xrdp-from-crash-to-rce-the-one-that-fought-back/Wed, 04 Mar 2026 22:00:00 -0400https://exploit-intel.com/blog/posts/cve-2025-68670-xrdp-from-crash-to-rce-the-one-that-fought-back/The first post ended with 'not a shell.' This one ends with uid=0(root) - with an asterisk. Ten context windows. A UTF-8 encoding barrier that blocks every libc address. A PLT mapping that lied. A stack alignment problem solved by a NULL pointer and a filename that shouldn't exist. The story of how a pre-auth xrdp overflow became (almost) pure-network RCE - through the most absurd gadget chain we've ever built.https://exploit-intel.com/blog/posts/cve-2025-68670-xrdp-pre-auth-overflow-the-hard-one/Wed, 04 Mar 2026 18:00:00 -0400https://exploit-intel.com/blog/posts/cve-2025-68670-xrdp-pre-auth-overflow-the-hard-one/xrdp. Pre-authentication. A full RDP handshake implemented from scratch. UTF-8 encoding constraints that break your ROP chain. A false crash path that wasted hours. And a 3-byte partial overwrite technique that reaches any address in the binary. Stackforge's hardest target yet - and the most honest result.https://exploit-intel.com/blog/posts/cve-2025-62507-redis-stackforge-from-crash-to-rce-with-aslr/Tue, 03 Mar 2026 18:00:00 -0400https://exploit-intel.com/blog/posts/cve-2025-62507-redis-stackforge-from-crash-to-rce-with-aslr/The only public exploit for CVE-2025-62507 is a crash PoC with a note: 'Still some way to go... another day.' Stackforge went from CVE number to verified RCE in 68 minutes. Then we enabled ASLR and ran it again. Two runs, one copy-paste bug, and the question of whether the first OpenSSL result was a fluke.https://exploit-intel.com/blog/posts/cve-2025-15467-openssl-stackforge-autonomous-binary-exploit/Tue, 03 Mar 2026 12:00:00 -0400https://exploit-intel.com/blog/posts/cve-2025-15467-openssl-stackforge-autonomous-binary-exploit/We forked Shannon again - this time for binary exploit development. Nine AI agents, GDB as an MCP tool, packet capture via SharkMCP, and a pipeline that turned an OpenSSL stack buffer overflow into three independent ROP chains with GDB-verified RCE. Eighty-five minutes. Twenty-five dollars. Here's how Stackforge works.https://exploit-intel.com/blog/posts/cve-2025-26866-hugegraph-hessian-deserialization-autonomous-exploit/Sun, 01 Mar 2026 18:00:00 -0400https://exploit-intel.com/blog/posts/cve-2025-26866-hugegraph-hessian-deserialization-autonomous-exploit/CVE-2025-26866 is a Hessian deserialization RCE in Apache HugeGraph PD. Our autonomous exploit pipeline CVEForge - which had completed 56 consecutive CVEs - hit a wall: an undocumented binary protocol, a non-standard serialization format, and a class blacklist blocking every known gadget chain. The agent spent $49 and four hours reverse-engineering SOFABolt, mapping sofa-hessian byte by byte, and finding a JDK-only gadget chain to bypass the blacklist. Then we took over to turn file creation into a proper root shell - navigating JNDI hardening, CC library defenses, and a gadget chain that silently dies on modern JDK. The result: a full Metasploit module.https://exploit-intel.com/blog/posts/72-hours-24-cves-the-cveforge-stress-test/Sat, 28 Feb 2026 18:00:00 -0400https://exploit-intel.com/blog/posts/72-hours-24-cves-the-cveforge-stress-test/We left CVEForge running for three days. Twenty-four CVEs went in. All twenty-four produced working PoCs. Ten incomplete fixes triggered eight responsible disclosure submissions - six GitHub issues, one MITRE report, one HackerOne 0-day. Here's the full accounting.https://exploit-intel.com/blog/posts/two-cves-two-outcomes-foreman-command-injection-telnetd-privilege-escalation/Fri, 27 Feb 2026 18:00:00 -0400https://exploit-intel.com/blog/posts/two-cves-two-outcomes-foreman-command-injection-telnetd-privilege-escalation/Foreman command injection via the REST API (CVE-2025-10622) and telnetd privilege escalation through environment variable injection (CVE-2026-28372) - CVEForge analyzes both end-to-end. One fix is a proper server-side whitelist. The other is a single unsetenv() call on a blacklist from 1995. Both produced working PoCs. Only one produced a fix we'd trust.https://exploit-intel.com/blog/posts/five-cves-three-bypasses-java-case-study/Fri, 27 Feb 2026 12:00:00 -0400https://exploit-intel.com/blog/posts/five-cves-three-bypasses-java-case-study/In this CVEForge patch-validation run, we analyze CVE-2025-60355 in OneBlog (Java/FreeMarker) and compare outcomes across five CVEs. Three of five runs ended in confirmed bypass or incomplete-fix results.https://exploit-intel.com/blog/posts/zero-to-rce-autonomous-exploit-development/Thu, 26 Feb 2026 12:00:00 -0400https://exploit-intel.com/blog/posts/zero-to-rce-autonomous-exploit-development/After CVEForge's first successful run, we needed to know if it was luck or a pattern. Two more CVEs, zero hand-holding, and an AI agent that found a fix bypass the developers missed.https://exploit-intel.com/blog/posts/cveforge-from-shannon-to-autonomous-poc/Wed, 25 Feb 2026 12:00:00 -0400https://exploit-intel.com/blog/posts/cveforge-from-shannon-to-autonomous-poc/We forked Shannon - the open-source AI pentesting framework - and wired it to the EIP MCP server. Six AI agents, one CVE number, 32 minutes: a working RCE PoC for a CVSS 10.0 vulnerability with zero existing public exploits. Here's how it happened.https://exploit-intel.com/blog/posts/from-cve-to-bypass-with-mcp/Tue, 24 Feb 2026 12:00:00 -0400https://exploit-intel.com/blog/posts/from-cve-to-bypass-with-mcp/One prompt kicked off an AI agent that built a full PoC lab for CVE-2026-28296 - and discovered the GVFS CRLF injection fix was incomplete. Here's how it happened.https://exploit-intel.com/blog/posts/teaching-ai-to-talk-exploits/Sun, 22 Feb 2026 12:00:00 -0400https://exploit-intel.com/blog/posts/teaching-ai-to-talk-exploits/370K CVEs and 105K exploits in a database. Every tool assumed you knew what to search for. So we built a RAG chatbot that answers: what should I worry about?https://exploit-intel.com/blog/posts/introducing-eip-mcp-server/Fri, 20 Feb 2026 12:00:00 -0400https://exploit-intel.com/blog/posts/introducing-eip-mcp-server/How a leftover MCP connector and a routine firmware review turned into something we didn't expect. The story behind EIP's MCP server - and the moment an AI agent surprised us.https://exploit-intel.com/blog/posts/eip-search-the-cli/Wed, 18 Feb 2026 12:00:00 -0400https://exploit-intel.com/blog/posts/eip-search-the-cli/searchsploit changed how we find exploits. But the world moved on - EPSS, CISA KEV, trojan detection, AI analysis. eip-search brings all of it to your terminal.https://exploit-intel.com/blog/posts/anatomy-of-a-trojan-exploit/Sun, 15 Feb 2026 12:00:00 -0400https://exploit-intel.com/blog/posts/anatomy-of-a-trojan-exploit/We analyzed 70K+ public exploits and found credential stealers, obfuscated backdoors, and destructive payloads - some with hundreds of GitHub stars. Here are the real examples.https://exploit-intel.com/blog/posts/building-exploit-intel-from-scratch/Tue, 10 Feb 2026 12:00:00 -0400https://exploit-intel.com/blog/posts/building-exploit-intel-from-scratch/The state of public exploit intelligence is fragmented, unverified, and sometimes actively hostile. We got tired of it and built our own. Here's the story.