Y-Security News and Updates

AXESS Auto Configuration Server – Denial of Service (CVE-2024-56316)

20. January 2025

The AXESS ACS allows remote unauthenticated attackers to cause a permanent Denial of Service (CVE-2024-56316)

Detail

StealthGuardian – Automatic TTP Analysis

2. August 2024

This August we publicly released one of our internal tools, StealthGuardian, at Black Hat USA…

Detail

Black Hat USA 2024

27. May 2024

The Y-Security team will be at the Black Hat ARSENAL USA 2024 on the 7th…

Detail

Red Team Ops I & II Review

16. April 2024

This spring we challenged ourselves by completing both Red Team certifications by Zero Point Security.

Detail

From Concept to Creation: Checking The Security Of LoRaWAN Implementations

13. March 2024

In this post we describe the process of creating a tailored LoRaWAN Penetration Testing environment.

Detail

Mobile Application Testing on Apple Silicon

14. June 2023

With this blog post we want to give a short introduction to Mobile Application Penetration…

Detail

EasyMind – Cross-Site Scripting (CVE-2023-30452)

16. May 2023

The EasyMind Confluence plugin is vulnerable to a Cross-Site Scripting vulnerability (CVE-2023-30452) within it’s core…

Detail

Reminder for Jira – Cross-Site Scripting (CVE-2023-30453)

16. May 2023

The Reminder for Jira plugin is vulnerable to a Cross-Site Scripting vulnerability (CVE-2023-30453) within the…

Detail

Advantages of Cloud Audit and Cloud Penetration Testing

4. May 2023

Offensive Security assessments in cloud environments can be performed in many ways. Today, we discuss…

Detail

Hack The Box BlackSky Cloud Hacking Labs – Blizzard

28. February 2023

In this post we present Blizzard, the BlackSky Cloud Hacking Lab scenario for Google Cloud…

Detail

Hack The Box BlackSky Cloud Hacking Labs – Cyclone

28. February 2023

In this post we present Cyclone, the BlackSky Cloud Hacking Lab scenario for Microsoft Azure…

Detail

Hack The Box BlackSky Cloud Hacking Labs – Hailstorm

28. February 2023

In this post we present Hailstorm, the BlackSky Cloud Hacking Lab scenario for Amazon Web…

Detail

German OWASP Day 2023

24. February 2023

Y-Security is sponsoring the German OWASP Day 2023 (#GOD). The Y-Security team will be at…

Detail

Ynachten 2022

23. December 2022

“Die größten Ereignisse, das sind nicht unsere lautesten, sondern unsere stillsten Stunden.” Friedrich Wilhelm Nietzsche…

Detail

Risk Management – Better Safe Than Sorry

6. December 2022

In this post we describe the basics of our approach to risk management.

Detail

Welcome To The Team – Thore

28. November 2022

In October, we added Thore to the Y-Team as an Advanced Attack Simulation Specialist. Thore…

Detail

The Scatter Swine

2. September 2022

Let’s review attacks of the last weeks (well, months …) against users of a well-known…

Detail

Year-One-Ylights

15. July 2022

Y-Security becomes One Year old – let’s celebrate! In July 2021 we’ve announced the launch…

Detail

TIBER in a Nutshell

10. March 2022

The Y-Security service lines are divided into Attack Simulations, Penetration Tests and Security Trainings. Below…

Detail

Insights into Penetration Test & Attack Simulation Reports

8. March 2022

Writing a technical good report is just one key aim when it comes to formalizing…

Detail

Blind Detection of the Log4j vulnerability en scale

21. January 2022

A lot has been said during our self-imposed 30 days embargo of our detection plugin…

Detail

Looking at the Portswigger Burp Suite Certification

11. January 2022

Y-Security recently took the challenge of mastering the Burp Suite Certification offered by the creators…

Detail

Microsoft Azure Portal – CSV Injection

6. December 2021

Various Azure Active Directory components can be used to export displayed data in CSV format….

Detail

Microsoft Teams – CSV Injection

1. December 2021

Microsoft Teams on Windows, Linux and the Web suffers from a CSV Injection vulnerability that…

Detail

Threat Simulation – Mimicking an APT

23. September 2021

Most have already heard about ransomware attacks, either in the news or as they have…

Detail

Microsoft Azure Portal – Persistent Cross-Site Scripting

15. September 2021

The notification widget of the Microsoft Azure Portal does not encode certain HTML characters. That…

Detail

All You Need To Know About Threat Intelligence-Based Ethical Red-Teaming

7. September 2021

TIBER is an acronym for Threat Intelligence-Based Ethical Red-Teaming. TIBER is a framework for adversary…

Detail

Insights Into Attack Simulations – Part 2

1. September 2021

Attack Simulations are known under a variety of names and variations like Red Team, Purple…

Detail

Insights Into Attack Simulations – Part 1

17. August 2021

Find out how we structure an end-to-end Attack Simulation against an organization and what the…

Detail

Disclosure Policy

16. August 2021

No, we won’t start another discussion about the ethics of disclosing security vulnerabilities to the…

Detail

Y-Security – That’s us

12. July 2021

At Y-Security we are specialized in performing Attack Simulations exercises, highly complex Penetration Tests and…

Detail