Attack Research

SEARCH

CATEGORIES

TAGS

    Attack Blogs, Attack Paths, Attack Research

    Defending with AD Tripwires: GOAD Walkthrough

    January 26, 2026
    This walkthrough shows how AD Tripwires turn quiet Active Directory reconnaissance into deterministic, low-noise detections. Using a GOAD (Game of Active Directory) environment, we demonstrate how exposed-credentials, Kerberoasting, and AS-REP Roasting tripwire accounts surface attacker behavior early in the attack path—mapping real techniques to Windows Security Events and platform alerts so defenders can see exactly…
    Read More →
    Diagram showing attacker touching tripwire accounts, Domain Controller writing Windows events, AD Tripwires generating alerts, and Security Information and Event Management (SIEM)/Endpoint Detection and Response (EDR) notifying analysts.
    Attack Blogs, Disclosures

    Ticket to Shell: Exploiting PHP Filters and CNEXT in osTicket (CVE-2026-22200)

    January 22, 2026
    CVE-2026-22200 is a severe vulnerability affecting osTicket, a popular open source helpdesk and ticketing system. This vulnerability enables anonymous attackers to read arbitrary files from the osTicket server, and in some cases execute arbitrary code. This issue is patched in osTicket 1.18.3 / 1.17.7.
    Read More →
    Attack Research

    Beyond the Perimeter: Why Deception is Critical to Protecting the World’s Most Sensitive Organisations

    January 21, 2026
    Insights from the UK NCSC Active Cyber Defence trials reveal why cyber deception, Tripwires, and attacker-centric defense are critical for protecting highly sensitive organisations.
    Read More →
    Attack Blogs, Attack Research, Disclosures

    CVE-2025-64155: Three Years of Remotely Rooting the Fortinet FortiSIEM

    January 13, 2026
    CVE-2025-64155 chains argument injection and privilege escalation flaws in FortiSIEM to achieve remote root compromise.
    Read More →
    Attack Blogs

    The Ni8mare Test: n8n RCE Under the Microscope (CVE-2026-21858)

    CVE-2026-21858, the so-called “Ni8mare” n8n RCE, drew significant attention—but real-world impact appears limited. Horizon3.ai breaks down the technical prerequisites, observed exposure, and why most organizations are unlikely to be affected.
    Read More →
    Unauthenticated n8n form endpoint used as part of Ni8mare vulnerability testing
    Attack Blogs, Attack Paths, Attack Research

    The FreePBX Rabbit Hole: CVE-2025-66039 and others

    December 11, 2025
    We dive into a new set of FreePBX issues beyond CVE-2025-57819: an authentication bypass in webserver mode (CVE-2025-66039), multiple SQL injections (CVE-2025-61675), and an arbitrary file upload bug leading to remote code execution (CVE-2025-61678). Together, they allow authenticated or unauthenticated attackers to achieve code execution on vulnerable FreePBX instances using risky auth settings. This write-up…
    Read More →
    Visual header graphic representing FreePBX security vulnerabilities, including authentication bypass, SQL injection, and remote code execution risks.
    Attack Blogs, Disclosures

    N-able N-central: From N-days to 0-days

    Horizon3.ai discovered two critical vulnerabilities in N-able N-central — CVE-2025-9316 and CVE-2025-11700 — that can be chained to leak credentials and fully compromise the appliance. This in-depth analysis details how the flaws were found, exploited, responsibly disclosed, and patched in version 2025.4, turning N-days into true 0-days.
    Read More →
    Illustrative image supporting the content on the “n able n central from n days to 0 days” page.
    Attack Paths

    Hack The Box – Retro

    November 10, 2025
    NodeZero® autonomously solved Hack The Box Retro in just 11 minutes, chaining SMB guest access and weak credentials into an ADCS privilege escalation. This demonstration highlights how autonomous pentesting uncovers exploit chains and validates real attack paths, proving Horizon3.ai’s commitment to evidence-based, attacker-validated security.
    Read More →
    Illustrative image supporting the content on the “hack the box retro” page.
    Attack Blogs, Attack Paths

    The Quiet Attack Path

    October 21, 2025
    Attackers turn native Active Directory features into a low-noise, high-impact playbook: stealthy enumeration, Kerberoasting, and AS-REP roasting can produce crackable credentials and clear paths to domain admin in minutes. This post walks through the first 15 minutes of an AD intrusion, why traditional SIEM/EDR struggles to detect it, and what defenders must catch early to…
    Read More →
    Attack Blogs

    From Support Ticket to Zero Day

    August 13, 2025
    Examining a Critical Vulnerability in Xerox FreeFlow Core
    Read More →