Stephen Fewer
@stephenfewer
Principal Security Researcher @rapid7. Decompiler @relyze. Core @metasploit dev 2009 - 2013. MSRC Top 100 2015. Pwn2Own 2011, 2021, 2024.
Check out our analysis of the SharePoint ToolShell vulnerabilities: how the ITW exploit works, how it was patched, and why the initial patches could be easily bypassed securelist.com/toolshell-expl…
Blog for ToolShell Disclaimer: The content of this blog is provided for educational and informational purposes only. blog.viettelcybersecurity.com/sharepoint-too… #SharePoint #ToolShell
Happy Friday! We're ending the week by publishing our analysis of Fortinet's FortiWeb CVE-2025-25257.... labs.watchtowr.com/pre-auth-sql-i…
BEST day of the week 📰 EC 77 Out NOW! 🎉Binja Giveaway complete - check your email to see if you've won 🎉 @stephenfewer hacks a printer @bellis1000 continues his CVE-2025-31200 video series Windows tricks from @trickster012 + Jobs and MORE 👇 blog.exploits.club/exploits-club-…
Our @metasploit auxiliary module for the new Brother auth bypass is available. The module will leak a serial number via HTTP/HTTPS/IPP (CVE-2024-51977), SNMP, or PJL, generate the devices default admin password (CVE-2024-51978) and then validate the creds: github.com/rapid7/metaspl…
Today @rapid7 is disclosing 8 new printer vulnerabilities affecting 742 models across 4 vendors. After 13 months of coordinated disclosure with Brother Industries, Ltd, we're detailing all issues including a critical auth bypass. Full details here: rapid7.com/blog/post/mult…
Today @rapid7 disclosed two vulns affecting NetScaler Console and NetScaler SDX, found by Senior Security Researcher Calum Hutton! 🎉 Our blog details the authenticated arbitrary file read vuln (CVE-2025-4365), and the authenticated arbitrary file write vuln (Which the vendor has…
During root cause analysis for the #NetScaler Console vulnerability, CVE-2024-6235, Rapid7 discovered & disclosed to the vendor 2 additional high severity vulnerabilities. Find exploitation details, remediation advice & more in a new blog: r-7.co/4efpR1S
What does it take to hack a @Sonos Era 300 for Pwn2Own? Take a look at our process of adapting existing research, establishing a foothold, and exploiting media parsers for unauthenticated RCE over the network🔥👇 blog.ret2.io/2025/06/11/pwn…
Needed Reflective DLL Injection for Windows on ARM64 for a project, but public examples were nowhere to be found. So, here you go. My PoC adapts @stephenfewer's classic, detailing TEB/PEB access via x18 for ARM64. Hopefully useful for red team ops & offensive security…
A new @rapid7 Analysis of CVE-2024-58136 was just published to AttackerKB, courtesy of Calum Hutton 🔥 Affecting the Yii framework, this analysis details the root cause and how it can be leveraged for RCE via a dirty file write to a log file: attackerkb.com/topics/U2Ddokj…
At #Pwn2Own Ireland 2024, we successfully targeted the SOHO Smashup category. 🖨️ Starting with a QNAP QHora-322 NAS, we pivoted to the Canon imageCLASS MF656Cdw - and ended up with shellcode execution. Read the full vulnerability deep dive here 👉 neodyme.io/en/blog/pwn2ow…
In another great body of research from @the_emmons, this disclosure chains 3 new vulns in SonicWall's SMA 100 appliances to go from a low privileged account to full RCE as root!! Awesome work as always 🔥🔥🔥
Great work from @the_emmons on these! And our sincere thanks to SonicWall's PSIRT once again for their exceptionally speedy and helpful response 🙌 rapid7.com/blog/post/2025…
The @rapid7 ETR team has published an analysis of CVE-2025-2825, a critical authentication bypass for CrushFTP. Check it out here: attackerkb.com/topics/k0EgiL9…
Paged Out! #6 is out! pagedout.institute Totally free, 80 pages, best issue so far! 'nuff said, enjoy! (please RT to help spread out the news!)