Hack Responsibly

Browse Hack Responsibly, a technical blog by The NetSPI Agents. Dive deep into the latest CVEs and vulnerabilities our team uncovers, and how we help NetSPI customers protect against the most important threats today.

Secure Code Review

Detecting Authorization Flaws in Java Spring via Source Code Review (SCR)

Discover how secure code review catches privilege escalation vulnerabilities in Java Spring apps that pentests miss – identify insecure patterns early.

Learn More
Network Pentesting

Set Sail: Remote Code Execution in SailPoint IQService via Default Encryption Key

NetSPI discovered a remote code execution vulnerability in SailPoint IQService using default encryption keys. Exploit details, discovery methods, and remediation guidance included.

Learn More
Cloud Pentesting

Extracting Sensitive Information from Azure Load Testing

Learn how Azure Load Testing’s JMeter JMX and Locust support enables code execution, metadata queries, reverse shells, and Key Vault secret extraction vulnerabilities.

Learn More
Network Pentesting

CVE-2025-26685 – Spoofing to Elevate Privileges with Microsoft Defender for Identity 

Discover how NetSPI uncovered and reported a vulnerability in Microsoft Defender for Identity that allowed unauthenticated attackers to perform spoofing and elevate privileges.

Learn More
Hardware and Embedded Systems Penetration Testing

Pew Pew, Precisely: The Physics and Practices Behind RayV Lite

We began with a simple question: could laser fault injection be democratized? Our answer is a resounding yes. With back-of-the-envelope physics, modest optics, and basic spare parts, we created a replicable, low-cost method for laser-based hardware attacks.

Learn More
Red Teaming

CVE-2025-23009 & CVE-2025-23010: Elevating Privileges with SonicWall NetExtender

NetSPI discovered multiple arbitrary SYSTEM file delete vulnerabilities in SonicWall NetExtender for Windows. Learn how NetSPI discovered and leveraged these for local privilege escalation.

Learn More
Web Application Pentesting

Getting Shells at Terminal Velocity with Wopper

This article introduces Wopper – a new NetSPI tool that creates self-deleting PHP files and automates code execution on WordPress using administrator credentials.

Learn More
Adversary Simulation

CVE-2025-21299 and CVE-2025-29809: Unguarding Microsoft Credential Guard

Learn more about the January 2025 Patch Tuesday that addresses a critical vulnerability where Kerberos canonicalization flaws allow attackers to bypass Virtualization Based Security and extract protected TGTs from Windows systems.

Learn More
Web Application Pentesting

CVE-2025-27590 – Oxidized Web: Local File Overwrite to Remote Code Execution

Learn about a critical security vulnerability (CVE-2025-27590) in Oxidized Web v0.14 that allows attackers to overwrite local files and execute remote code execution.

Learn More
Web Application Pentesting

A Not So Comprehensive Guide to Securing Your Salesforce Organization

Explore key background knowledge on authorization issues and common bad practices developers may unintentionally introduce in Salesforce Orgs.

Learn More
Adversary Simulation

The Things We Think and Do Not Say: The Future of Our Beacon Object Files (BOFs)

Learn about a reference design for a new Beacon Object Files portable executable concept and helpful features.

Learn More
Adversary Simulation

CVE-2024-28989: Weak Encryption Key Management in Solar Winds Web Help Desk

Learn how an attacker with access to a backup file could potentially recover certain encrypted passwords.

Learn More