vulnerability reporting Archives

Winsage

April 18, 2026

‘They mopped the floor with me and pulled every childish game they could’: Disgruntled researcher releases second major Windows zero-day — claims Microsoft ‘would ruin my life, and they did’

A researcher known as “Chaotic Eclipse” has revealed a new zero-day vulnerability in Microsoft Defender, called “RedSun,” which allows local privilege escalation to SYSTEM privileges on Windows 10, Windows 11, and Windows Server when Microsoft Defender is enabled. The exploit has been confirmed to function correctly, and some antivirus vendors have begun detecting it. This follows another vulnerability disclosure by the same researcher, named BlueHammer, which also allows local attackers to elevate permissions. Chaotic Eclipse expressed dissatisfaction with Microsoft’s handling of vulnerability disclosures, claiming they were threatened and experienced frustration with the company’s response. A Microsoft spokesperson stated the company is committed to investigating reported security issues and supports coordinated vulnerability disclosure.

Tech Optimizer

February 14, 2025

High-severity SQL vulnerability found in PostgreSQL tool

Rapid7 has identified a SQL injection vulnerability, CVE-2025-1094, affecting all supported PostgreSQL versions prior to 17.3, 16.7, 15.11, 14.16, and 13.19, with a CVSS 3.1 base score of 8.1. This vulnerability is linked to another vulnerability, CVE-2024-12356, which allows unauthenticated remote code execution in BeyondTrust's solutions. Exploiting CVE-2024-12356 requires prior exploitation of CVE-2025-1094. The issue arises from flawed assumptions in PostgreSQL's string escaping routines, particularly in handling invalid UTF-8 characters, which can lead to SQL injection through the psql tool. Attackers can execute arbitrary SQL statements and operating system shell commands under certain conditions. Users are advised to upgrade to secure PostgreSQL versions to mitigate risks. A Metasploit exploit module for CVE-2025-1094 is also available for vulnerable BeyondTrust systems.

AppWizard

August 19, 2024

Google won’t pay you to find security flaws in its most popular app

Google is terminating the Google Play Security Reward Program (GPSRP) on August 31st, 2024, due to a decrease in reported vulnerabilities. The program, which began in October 2017, incentivized external security researchers to identify vulnerabilities in Android applications on the Google Play Store. It initially focused on a limited number of apps but later expanded to include apps from major companies like Amazon, Snapchat, Tesla, and TikTok. Despite the program's success in improving security, Google believes its existing protocols are sufficient, leading to the decision to end financial rewards for vulnerability reports. Security researchers can still participate in the Vulnerability Rewards Program, which has been expanded to include Generative Artificial Intelligence platforms.