Return to schedule

Hafnium from the inside Feedback

The process from initial IR call to discovering the 0-day later called 2021-26857. Brief discussion of the submission process with Microsoft and a technical look on the actual exploit. No longer fully NDA'd, so I can share the exploit, slightly redacted. Will have a working demo, might have produced a full PoC by August.

CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

*Customer in the IR case have requested that as little as possbile is shared, so I would prefer not to have it recorded.


Speakers for Hafnium from the inside:


Metadata for Hafnium from the inside

To be recorded: No

URLs for Hafnium from the inside

No URLs found.


Schedule for Hafnium from the inside

    Not scheduled yet