Security Advisories

Published CVEs and responsible disclosures from my vulnerability research. Each finding was reported to the affected vendor and followed coordinated disclosure practices.

CVE-2024-45163 Critical Disclosed

Remote Unauthenticated Denial of Service in Mirai Botnet C&C Server

I discovered a vulnerability in the Mirai botnet's command and control server that allows any remote, unauthenticated attacker to crash the C&C process entirely. The flaw exists in how the server handles incoming connections before authentication, making it possible to send a crafted payload that triggers a fatal error. This effectively creates a "kill switch" for active Mirai C&C hosts. The finding was shared with global law enforcement agencies, enabling them to remotely disable malicious C&C infrastructure without needing to compromise or seize the servers directly.

Discovered July 2024
Disclosed August 2024
Impact Global botnet C&C disruption
Status Disclosed to law enforcement
CVE-2024-44809 High Patched

Remote Code Execution in Raspberry Pi Configuration Service

A remote code execution vulnerability in a Raspberry Pi configuration service allowed attackers to execute arbitrary commands on the host system. The service failed to sanitize user-supplied input before passing it to system-level calls, making exploitation straightforward for anyone with network access. I reported this to the maintainers, and a patch was released addressing the input validation flaw.

Discovered June 2024
Disclosed August 2024
Impact Full system compromise via RCE
Status Patched
CVE-2024-44808 High Patched

Privilege Escalation via Improper Access Control in Embedded Systems

I identified a privilege escalation vulnerability in the Vypor DDoS Attack API caused by improper access control mechanisms. The flaw allowed authenticated low-privilege users to execute remote commands at elevated privilege levels, bypassing intended authorization boundaries. This could be chained with other vulnerabilities to achieve full system control. The vendor was notified and released a fix that enforced proper role-based access checks.

Discovered June 2024
Disclosed August 2024
Impact Remote command execution with elevated privileges
Status Patched
CVE-2024-48396 Medium Patched

Information Disclosure Through Insecure API Endpoint

An API endpoint exposed sensitive system information to unauthenticated requests. The endpoint returned internal configuration details, software versions, and partial credentials that could be leveraged for further attacks. I reported the issue through the vendor's security contact, and the endpoint was secured with proper authentication and response filtering.

Discovered September 2024
Disclosed October 2024
Impact Sensitive data exposure
Status Patched
Roblox Platform Medium Patched

Responsible Disclosure to Roblox

I identified and reported a security vulnerability in the Roblox platform through their responsible disclosure program. The issue was acknowledged by their security team and patched in a subsequent release. Per the program's terms, specific technical details remain under the platform's disclosure guidelines.

Discovered 2024
Program Responsible Disclosure
Status Patched
Fortune 500 Company High Confidential

High-Severity Vulnerability Under NDA

A high-severity vulnerability was discovered and reported to a Fortune 500 company through a private engagement. The details of this finding, including the affected product and technical specifics, are covered under a non-disclosure agreement. The issue has been resolved.

Discovered 2024
Disclosure Private, under NDA
Status Resolved