2022

• A New Attack Surface on MS Exchange Part 4 - ProxyRelay!
• Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IIS
• Your NAS is not your NAS !

2021

• A New Attack Surface on MS Exchange Part 3 - ProxyShell!
• A New Attack Surface on MS Exchange Part 2 - ProxyOracle!
• A New Attack Surface on MS Exchange Part 1 - ProxyLogon!

2020

• How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM

2019

• Attacking SSL VPN - Part 3: The Golden Pulse Secure SSL VPN RCE Chain, with Twitter as Case Study!
• Attacking SSL VPN - Part 2: Breaking the Fortigate SSL VPN
• Attacking SSL VPN - Part 1: PreAuth RCE on Palo Alto GlobalProtect, with Uber as Case Study!
• Operation Crack: Hacking IDA Pro Installer PRNG from an Unusual Way
• Hacking Jenkins Part 2 - Abusing Meta Programming for Unauthenticated RCE!(EN)
• Hacking Jenkins Part 1 - Play with Dynamic Routing (EN)

2018

• Exim Off-by-one RCE: Exploiting CVE-2018-6789 with Fully Mitigations Bypassing
• Sandstorm Security Review

2017

• Road to Exim RCE - Abusing Unsafe Memory Allocator in the Most Popular MTA

2016

• Advisory: Accellion File Transfer Appliance Vulnerability