Technical Research

Technical Research

Otto Support - Testing MCP Servers

Jun 3, 2026

MCP servers introduce a new attack surface, but the security fundamentals are familiar. In this final otto-support post, we use nmap, a Nuclei template, and MCP Inspector to discover, enumerate, and exploit an authorization gap without ever touching an LLM.

By Michael Cheng

Technical Research

Looting UniFi Controllers: Detecting and Weaponizing CVE-2026-22557

May 29, 2026

A CVSS 10.0 path traversal in UniFi Network Application lets unauthenticated attackers read controller backups, extract credentials, and take over every managed device on the network. Bishop Fox breaks down the attack paths, the preconditions, and a safe detection tool to check your exposure.

By Jon Williams

Technical Research

Sparkplug B Protocol Fuzzing with AI Assistance

May 26, 2026

Sparkplug B is the dominant protocol in ICS and SCADA environments, but no public security fuzzer existed for it until now. Bishop Fox used AI-assisted development to build one from scratch, covering all 9 message types, 19 data types, and 87+ field paths from the full specification.

By David Colón, Shad Malloy

Technical Research

Detecting CVE-2026-0265 at Scale: PAN-OS CAS Authentication Bypass

May 22, 2026

CVE-2026-0265 lets unauthenticated attackers forge a JWT and log in as any trusted user on CAS-enabled PAN-OS deployments. Bishop Fox built a detection tool that returns a definitive verdict from a single anonymous request, and breaks down exactly how the bug works and what to do about it.

By Jon Williams, John Untz, Bishop Fox Researchers

Technical Research

CVE-2026-27886: Unauthenticated Boolean-Oracle Exfiltration of Administrator Secrets in Strapi

May 22, 2026

A sanitization bypass in Strapi 4.0.0 through 5.36.1 lets unauthenticated attackers extract an admin's password reset token character by character and take over the account. With over 20,000 internet-facing hosts exposed, Bishop Fox breaks down how the exploit works and how to remediate it.

By Nate Robb

Technical Research

Otto Support - Logging and Visibility in MCP Servers

May 14, 2026

If any of the MCP attack classes in this series happened in your environment today, would you detect it? Most MCP servers log only a tool name and a timestamp. This post walks through what that gap looks like in practice, how EchoLeak exploited it, and what proper audit logging actually requires.

By Derek Rush

Technical Research

Otto-Support - Supply Chain Risks in MCP Servers

May 13, 2026

What if the MCP server itself is the attacker? Supply chain risk in MCP tools is structural, and the postmark-mcp and ClawHub compromises made it concrete. This post pairs those case studies with otto-support's selfpwn module to show exactly what a hostile MCP server can access the moment it runs.

By Derek Rush

Technical Research

Otto Support - The Confused Deputy

May 8, 2026

When an agent reads attacker-controlled content and acts on it using its own privileges, the user's name ends up on every audit log entry. From Microsoft Copilot to ConfusedPilot, this post walks through how confused deputy attacks work and the layered controls that help contain them.

By Derek Rush

Technical Research

Otto Support - SSRF and Token Passthrough with MCP

May 7, 2026

SSRF and token passthrough are not new, but MCP servers are reintroducing them at scale. From a chained SSRF-to-RCE in mcp-atlassian to Microsoft's MarkItDown and OpenClaw, this post walks through three recent disclosures and the controls that actually prevent them.

By Derek Rush

Technical Research

CVE-2026-42208: Pre-Authentication SQL Injection in LiteLLM Proxy

May 6, 2026

Bishop Fox researchers confirmed a critical pre-authentication SQL injection in LiteLLM proxy affecting versions 1.81.16 through 1.83.6. Attackers can exploit it without credentials, and it blends into normal logs. In-the-wild exploitation was observed within 36 hours of the advisory going public.

By Nate Robb

Technical Research

Otto Support - Excessive Agency and Tool Privileges

May 6, 2026

AI agents connected to too many tools don't just create risk, they've already caused real damage. From deleted databases to mass-wiped mailboxes, excessive agency has a track record. This post breaks down what it looks like in practice and how role-aware tool registration can help contain it.

By Derek Rush

Technical Research

Otto Support – An MCP, Agentic-AI Security Challenge

Apr 23, 2026

Bishop Fox built a vulnerable MCP-based customer support tool and turned it into a security challenge. Explore how AI agents interact with tools, escalate privileges, and expose sensitive data. If you work with AI systems, this CTF shows exactly how these architectures fail in the real world.

By Derek Rush

Technical Research

Taking Maestro in Stride: AI Threat Modeling Frameworks

Apr 16, 2026

AI agents don’t fit traditional threat models. They act like users, services, and data pipelines at once. Learn why STRIDE alone falls short, how MAESTRO fills the gaps, and why modern AI systems must be treated as insider threats.

By Shad Malloy

Technical Research

Inside Cirro: Attack Paths, Cloud Graphs, and Extensible Schemas

Apr 9, 2026

Cloud risk doesn’t live in a single permission, it lives in the relationships between them. Discover how Cirro maps hidden attack paths across Azure identities, resources, and data to reveal what attackers actually see.

By Leron Gray

Technical Research

API Authentication Bypass in FortiClient EMS 7.4.5-7.4.6–CVE-2026-35616

Apr 7, 2026

Bishop Fox researchers expanded on Fortinet's disclosure of CVE-2026-35616 by identifying the root cause via the released hotfix.

By John Untz

Technical Research

Delivered by Trust: What the Axios Supply Chain Attack Means for Security Leaders

Apr 6, 2026

A trusted package turned into an attacker’s gateway overnight. The Axios supply chain breach shows how quickly risk can spread—and why security leaders must rethink trust in modern development.

By Dillon Sparks

Technical Research

strongSwan CVE-2026-25075: Integer Underflow in VPN Authentication

Mar 26, 2026

Bishop Fox researchers took a deep dive into a new strongSwan vulnerability that allows unauthenticated attackers to take VPN services offline. We created an easy tool to test your strongSwan deployment & recommend upgrading to version 6.0.5 and later.

By Jon Williams

Technical Research

Pre-Authentication SQL Injection in FortiClient EMS 7.4.4 - CVE-2026-21643

Mar 9, 2026

FortiClient EMS 7.4.4 contains a pre-authentication SQL injection vulnerability (CVSS 9.1) in its multi-tenant site routing middleware. An unauthenticated attacker can inject arbitrary SQL by sending a crafted Site HTTP header to any pre-auth endpoint.

By John Untz

Technical Research

Beyond Electron: Attacking Alternative Desktop Application Frameworks

Mar 3, 2026

Tauri promises a lighter, security-first future beyond Electron—but does it actually reduce risk? Carlos Yanez uncovers how XSS and permissive configs can still be chained into RCE, walking through real-world exploitation techniques every appsec team should understand.

By Carlos Yanez

Technical Research

The Total Cost of AI Ownership: The Costs Not on Your Budget Sheet

Jan 13, 2026

AI looks affordable at first, licenses, cloud, headcount. But once it’s in production, costs spread across teams, systems, and decisions in ways most models miss. Here’s what we’ve learned about the hidden costs of owning AI long-term.

By Kelly Albrink

Technical Research

GenAI DevOps: More Code, More Problems

Dec 30, 2025

GenAI has made it possible for anyone to ship production code, but security hasn’t caught up. The real risk isn’t bad AI code, it’s how quickly unsafe behavior reaches production. Here’s how to build guardrails so speed doesn’t become liability.

By Derek Rush

Technical Research

MITRE AADAPT Framework as a Red Team Roadmap

Dec 17, 2025

MITRE’s AADAPT framework exposes how attackers target digital-asset systems but the real value comes from testing those threats. Learn how red teaming turns AADAPT into evidence-driven detection, stronger controls, and measurable protection against economic loss.

By Bishop Fox

Technical Research

Arista NextGen Firewall XSS to RCE Chain

Dec 4, 2025

Arista flagged three NG Firewall bugs as “limited.” Our researchers proved otherwise: real-world remote code execution is possible, and current patches don’t fully fix the root issues. Here’s what’s vulnerable, what we validated, and the steps to cut exposure now.

By Jon Williams, Ronan Kervella, Bishop Fox Researchers

Technical Research

Fortinet FortiWeb Authentication Bypass – CVE-2025-64446

Nov 19, 2025

Bishop Fox researchers discovered an authentication bypass in FortiWeb that lets attackers add their own admin accounts, take over the device, and erase evidence. Organizations can quickly check if they’re exposed using a new Bishop Fox scanner and should remove public access and update immediately.

By Jon Williams, John Untz