I JUST WANTED TO… GRAFUNA RED TEAM

Observability is about visibility.

Visibility works both ways. If you can see it, someone else can too.

This post is the polite version of a talk I gave. The impolite version is the repo.

https://github.com/scadastrangelove/zeronights2025-GRAFUNA 

EPSS, KEV, and the Joy of Predicting the Past

There is a recurring belief in security that if we just collect enough numbers, the future will eventually confess.

EPSS is one such number.

A clean decimal. A percentile. A promise.

So we asked a boring question: what if you actually ran patch management using EPSS thresholds? Not in theory. Not in slides. In reality—against vulnerabilities that were already exploited.

We took all vulnerabilities added to CISA’s KEV catalog in 2025. KEV is not a model. It is not predictive. It is simply a list of things that were exploited hard enough that someone had to admit it.
Nerds welcome.. 

 

CVE-2025-20352: Exposed SNMP is “not a vuln”? 0kk...

It’s just a friendly UDP oracle telling strangers what your routers are, how old they are, and whether they like to take naps when prodded. Totally fine.

CVE-2025-20352 lives in Cisco IOS/IOS XE’s SNMP stack. Crafted packets + creds = sad router. While everyone argues about advisory footnotes, we do the boring part: find what talks SNMP with default communities and tag what looks at risk.

https://github.com/scadastrangelove/CVE-2025-20352 

Nuk‑Nuke

https://github.com/scadastrangelove/nuknuke 

A lightning‑fast decoy web‑server that fools vulnerability scanners by feeding them the answers they expect. Inspired by the 90‑s WinNuke prank and written for ProjectDiscovery’s Nuclei, Nuk‑Nuke parses every template under ~/nuclei‑templates, spins up a single‑py server and replies in a way that always triggers a positive match. Ideal for red‑blue exercises, honeynets or throttling noisy pentest pipelines without touching your production code.

YAUZA CTF 2021

For 48 hours, participants will be able to solve tasks of all categories: web, reverse, pwn, forensics, crypto, OSINT, joy. Also new categories have been added: hardware, pentest and emulation!

https://yauzactf.com/en

NVIDIA DGX A100 Security Update

The DGX A100 System Firmware Update container version 20.11.3 for Ubuntu with BMC version 00.13.04 fixes vulnerabilities described in NVIDIA Security Bulletin 5010 such as CVE‑2020‑11487.

More details can be found in recent AISec talks and releases. 

Enjoy

Vulnerabilities of Machine Learning Infrastructure (Slides/Video)

Vulnerabilities of Machine Learning Infrastructure talk as presented at CodeBlue 2020 Japan and Standoff365 by Sergey Gordeychik.

The boom of AI brought to the market a set of impressive solutions both on the hardware and software side. On the other hand, massive implementation of AI in various areas brings about problems, and security is one of the greatest concerns.