Offensive
Security Blog

Industry

Mythos Doesn't Deploy Itself

Jun 9, 2026

AI is raising the ceiling for skilled researchers and flooding bug bounty programs with polished but inaccurate submissions at the same time. Both things are true, and the reconciling variable is the harness built around the model and the expertise of the person driving it.

By Vincent Liu

Technical Research

Popping Root on UniFi OS Server: Unauthenticated RCE Chain Detection & Analysis

Jun 5, 2026

A three-part vulnerability chain in UniFi OS Server lets an unauthenticated attacker bypass the auth gateway, hit a command injection sink, and escalate to root in a single request. Bishop Fox confirmed the chain end to end and breaks down the attack, the impact, and how to detect it safely.

By Jon Williams

Technical Research

Otto Support - Testing MCP Servers

Jun 3, 2026

MCP servers introduce a new attack surface, but the security fundamentals are familiar. In this final otto-support post, we use nmap, a Nuclei template, and MCP Inspector to discover, enumerate, and exploit an authorization gap without ever touching an LLM.

By Michael Cheng

Technical Research

Looting UniFi Controllers: Detecting and Weaponizing CVE-2026-22557

May 29, 2026

A CVSS 10.0 path traversal in UniFi Network Application lets unauthenticated attackers read controller backups, extract credentials, and take over every managed device on the network. Bishop Fox breaks down the attack paths, the preconditions, and a safe detection tool to check your exposure.

By Jon Williams

Technical Research

Sparkplug B Protocol Fuzzing with AI Assistance

May 26, 2026

Sparkplug B is the dominant protocol in ICS and SCADA environments, but no public security fuzzer existed for it until now. Bishop Fox used AI-assisted development to build one from scratch, covering all 9 message types, 19 data types, and 87+ field paths from the full specification.

By David Colón, Shad Malloy

Technical Research

Detecting CVE-2026-0265 at Scale: PAN-OS CAS Authentication Bypass

May 22, 2026

CVE-2026-0265 lets unauthenticated attackers forge a JWT and log in as any trusted user on CAS-enabled PAN-OS deployments. Bishop Fox built a detection tool that returns a definitive verdict from a single anonymous request, and breaks down exactly how the bug works and what to do about it.

By Jon Williams, John Untz, Bishop Fox Researchers

Technical Research

CVE-2026-27886: Unauthenticated Boolean-Oracle Exfiltration of Administrator Secrets in Strapi

May 22, 2026

A sanitization bypass in Strapi 4.0.0 through 5.36.1 lets unauthenticated attackers extract an admin's password reset token character by character and take over the account. With over 20,000 internet-facing hosts exposed, Bishop Fox breaks down how the exploit works and how to remediate it.

By Nate Robb

Technical Research

Otto Support - Logging and Visibility in MCP Servers

May 14, 2026

If any of the MCP attack classes in this series happened in your environment today, would you detect it? Most MCP servers log only a tool name and a timestamp. This post walks through what that gap looks like in practice, how EchoLeak exploited it, and what proper audit logging actually requires.

By Derek Rush

Technical Research

Otto-Support - Supply Chain Risks in MCP Servers

May 13, 2026

What if the MCP server itself is the attacker? Supply chain risk in MCP tools is structural, and the postmark-mcp and ClawHub compromises made it concrete. This post pairs those case studies with otto-support's selfpwn module to show exactly what a hostile MCP server can access the moment it runs.

By Derek Rush

Industry

Introducing Joro: Using AI to Build Security Tooling

May 12, 2026

Bishop Fox is releasing Joro, a collaborative web exploitation framework built almost entirely with AI. From intercepting proxy to C2 integration, this post covers how it was built, what it does, and what AI-assisted security tool development actually looks like in practice.

By Tony West

Technical Research

Otto Support - The Confused Deputy

May 8, 2026

When an agent reads attacker-controlled content and acts on it using its own privileges, the user's name ends up on every audit log entry. From Microsoft Copilot to ConfusedPilot, this post walks through how confused deputy attacks work and the layered controls that help contain them.

By Derek Rush

Technical Research

Otto Support - SSRF and Token Passthrough with MCP

May 7, 2026

SSRF and token passthrough are not new, but MCP servers are reintroducing them at scale. From a chained SSRF-to-RCE in mcp-atlassian to Microsoft's MarkItDown and OpenClaw, this post walks through three recent disclosures and the controls that actually prevent them.

By Derek Rush

Technical Research

Otto Support - Excessive Agency and Tool Privileges

May 6, 2026

AI agents connected to too many tools don't just create risk, they've already caused real damage. From deleted databases to mass-wiped mailboxes, excessive agency has a track record. This post breaks down what it looks like in practice and how role-aware tool registration can help contain it.

By Derek Rush

Technical Research

CVE-2026-42208: Pre-Authentication SQL Injection in LiteLLM Proxy

May 6, 2026

Bishop Fox researchers confirmed a critical pre-authentication SQL injection in LiteLLM proxy affecting versions 1.81.16 through 1.83.6. Attackers can exploit it without credentials, and it blends into normal logs. In-the-wild exploitation was observed within 36 hours of the advisory going public.

By Nate Robb

Industry

Azure Hacking: New Cloudfoxable Challenges

May 4, 2026

Cloudfoxable started as a hands-on AWS security training tool. Now it's expanding. Bishop Fox has launched the first set of Azure challenges, giving security professionals a safe, intentionally misconfigured environment to explore identity-driven attack paths and privilege escalation in Azure.

By Gerben Kleijn

Industry

Introducing AIMap: Security Testing For AI Agent Infrastructure

Apr 30, 2026

Attackers can already find, connect to, and probe your exposed AI agent infrastructure. AIMap gives defenders that same visibility. Built by Bishop Fox, this open-source tool discovers, scores, and tests exposed AI endpoints so you can understand your real attack surface before someone else does.

By Aashiq Ramachandran

Technical Research

Otto Support – An MCP, Agentic-AI Security Challenge

Apr 23, 2026

Bishop Fox built a vulnerable MCP-based customer support tool and turned it into a security challenge. Explore how AI agents interact with tools, escalate privileges, and expose sensitive data. If you work with AI systems, this CTF shows exactly how these architectures fail in the real world.

By Derek Rush

Industry

Understanding the CVE Ecosystem and NIST’s Changing Role

Apr 22, 2026

NIST just announced it's prioritizing CVE enrichment for government systems and deprioritizing everything else. For security teams that rely on NVD data, the gap is real. Here's what changed, why it's been coming for years, and what your team should do to stay ahead of the risk.

By Richard Brown

Technical Research

Taking Maestro in Stride: AI Threat Modeling Frameworks

Apr 16, 2026

AI agents don’t fit traditional threat models. They act like users, services, and data pipelines at once. Learn why STRIDE alone falls short, how MAESTRO fills the gaps, and why modern AI systems must be treated as insider threats.

By Shad Malloy

Industry

Anthropic’s Claude Mythos Preview: The AI Cybersecurity Inflection Point

Apr 14, 2026

AI just crossed a threshold. Anthropic’s Claude Mythos can discover and chain vulnerabilities at scale—faster than teams can remediate. What does this mean for your security program, your providers, and your ability to keep up before attackers do?

By Bishop Fox

Technical Research

Inside Cirro: Attack Paths, Cloud Graphs, and Extensible Schemas

Apr 9, 2026

Cloud risk doesn’t live in a single permission, it lives in the relationships between them. Discover how Cirro maps hidden attack paths across Azure identities, resources, and data to reveal what attackers actually see.

By Leron Gray

Technical Research

API Authentication Bypass in FortiClient EMS 7.4.5-7.4.6–CVE-2026-35616

Apr 7, 2026

Bishop Fox researchers expanded on Fortinet's disclosure of CVE-2026-35616 by identifying the root cause via the released hotfix.

By John Untz

Technical Research

Delivered by Trust: What the Axios Supply Chain Attack Means for Security Leaders

Apr 6, 2026

A trusted package turned into an attacker’s gateway overnight. The Axios supply chain breach shows how quickly risk can spread—and why security leaders must rethink trust in modern development.

By Dillon Sparks

Technical Research

strongSwan CVE-2026-25075: Integer Underflow in VPN Authentication

Mar 26, 2026

Bishop Fox researchers took a deep dive into a new strongSwan vulnerability that allows unauthenticated attackers to take VPN services offline. We created an easy tool to test your strongSwan deployment & recommend upgrading to version 6.0.5 and later.

By Jon Williams