[tl;dr sec] #310 – Vulnerable MCP Labs, Pathfinding.cloud, Prompt Injection Taxonomy

I hope you had an awesome holiday break and great start to the new year!

I spent a few weeks with my family in the Midwest, where I survived the cold despite my now frail Californian temperament, hit the gym with my brother, and took a boxing class taught by my sister.

We also did a Wicked movie day, where we watched part 1 in the morning then immediately went to a Part 2 matinee. My mom was hopped up on espresso so she couldn’t stop adding commentary during the former. Delightful  

And for part 2, my sister and I managed to sneak in a metric ton of snacks into the theater, including a Ziploc bag of raw cookie dough to snack on. Sneaking snacks into a theater is one of my great joys in life, don’t judge me.

Currently I’m up late writing this newsletter from Hawaii, continuing my long tradition of writing tl;dr sec from a hotel room in a nice location on not-quite-vacation  

Have a great rest of your week, and talk soon!

Adversis/tailsnitch
By Adversis: A security auditor for Tailscale configurations. Scans your tailnet for 50+ misconfigurations, overly permissive access controls, and security best practice violations. It also can generate SOC 2 compliance reports with Common Criteria mappings.

joe-desimone/mongobleed
By Joe Desimone: A proof-of-concept exploit for the MongoDB zlib decompression vulnerability (CVE-2025-14847) that allows unauthenticated attackers to leak sensitive server memory.

Joe tweet: “This could be a case study in speed running from patch to poc with LLM. Done in less than 10 minutes with Cursor and a single prompt. Helped that vuln trigger is included as unit test in the fix commit.”

ORM Leaking More Than You Joined For
Elttam’s Alex Brown expands on their previous Object Relational Mapper (ORM) Leak research and Black Hat EU briefing ORMageddon: Leaking More Than You Joined For. ORM Leaks occur when web apps offer robust filtering or search capabilities in a way that can be abused to filter objects by sensitive or hidden fields. Developers often rely on the ORM to determine which fields are queryable and to prevent SQL injection, but overlook explicitly validating which fields should be queryable.

The post walks through an interesting expression‑parser bug in the Beego ORM, and an authentication‑bypass technique for the Prisma ORM. They’ve published semgrep rules for detecting potentially dangerous uses of the Django, Prisma, Beego, and Entity Framework ORMs. They also previously released plormber, a tool for exploiting time-based ORM Leak vulnerabilities.

The 2025 GigaOm SecOps Automation Radar evaluated 19 vendors and concluded that architecture is the most important decision factor in the market. LLM-first solutions unlock new automation capabilities but face edge cases and volatility in production deployments. Workflow-based tools offer predictability but require extensive manual maintenance. 

The report highlights more specialized and sustainable approaches that combine multiple AI techniques (semantic, behavioral, and LLMs) rather than relying on LLMs alone.

This looks cool. I agree that architecture for LLM tooling makes a big difference, and I’m a big fan of combining multiple techniques. Seems like an informative read  

Introducing Pathfinding.cloud
Datadog’s Seth Art announces the release of pathfinding.cloud, an extensive knowledge base that documents the IAM permissions and permission sets that allow for privilege escalation in AWS, currently documenting 65+ AWS IAM privilege escalation paths in a standardized YAML schema. Each path includes unique identifiers, categorization (self-escalation, principal access, new/existing PassRole, credential access), required vs. additional permissions, explicit prerequisites for exploitation, attack visualizations, and detection tool coverage. 42% of the paths are currently undetected by existing open-source tools like Prowler, Cloudsplaining, PMapper, and Pacu.

Interestingly, Team Xint Code, the folks behind the Theori team who competed in the AIxCC cyber grand challenge competition, had successful entries for PostgreSQL, Redis, and MariaDB. In other words, an AI-based vulnerability hunting tool found impactful vulnerabilities in popular, widely used software.

Privilege escalation with SageMaker and there’s more hiding in execution roles
Plerion’s Gen Z whisperer Daniel Grzelak describes a privilege escalation pattern in AWS where attackers can gain an instance’s execution role privileges by modifying boot-time code execution configurations. He demonstrates this with two examples: with EC2 (using ec2:ModifyInstanceAttribute to inject userData with a #cloud-boothook directive) and a SageMaker Notebook instance variant (using lifecycle configurations), both allowing attackers to execute arbitrary code with the target’s IAM permissions.

This pattern generalizes to other AWS services where execution roles are configured separately from code modifications. Daniel recommends detecting these and similar attacks via unusual stop→modify→start sequences, and prevention through strict permission boundaries around configuration-changing capabilities.

The posts discuses some scenarios across CloudGoat, IAM-Vulnerable, and CloudFoxable platforms plus new Bedrock challenges, with the key takeaway that many high-risk actions cannot be granularly constrained by SCPs or resource policies because they lack resource-level ARNs or condition keys.

0x4D31/santamon
By Adel Karimi: A lightweight macOS detection sidecar for Santa that evaluates Endpoint Security telemetry locally with CEL rules and forwards only matched detection signals to a backend server. A “poor man’s macOS EDR for home labs and small fleets.”

What are Composite Detections?
Zack Allen explains composite (correlated/stateful) detection rules, which combine multiple atomic detections to reduce false positives by adding context around attack chains, using MITRE ATT&CK as a framework. Zack walks through an example where three atomic rules (admin login, CreateUser, AttachUserPolicy with admin privileges) are combined using windowing (capturing activity in time windows) to detect AWS account persistence attempts, filtering out benign activity that would trigger individual rules.

Beyond the bomb: When adversaries bring their own virtual machine for persistence
Red Canary’s Tony Lambert and Chris Brook describe a novel attack where adversaries used spam bombing (flooding a victim’s inbox is with thousands of unsolicited emails, a popular distraction tactic) and social engineering → Quick Assist to deploy a custom QEMU VM running Windows 7 SP1. The VM contained Sliver C2 implants, ScreenConnect, and a QDoor backdoor for network reconnaissance and persistence. Forensic details: Plaso timeline analysis, prefetch data (records info about application usage), browser history, and tools like The Sleuth Kit and VMray.

appsecco/vulnerable-mcp-servers-lab
By Appsecco’s Riyaz Walikar: A collection of 9 intentionally vulnerable MCP servers designed to help you learn how to penetration test AI agent infrastructure. The labs include servers containing path traversal with code execution via unsafe path joining and unsandboxed Python execution, indirect prompt injection through documents with embedded hidden instructions (both local stdio and remote HTTP+SSE variants), eval-based RCE in a “quote of the day” tool, instruction injection via fabricated tool outputs, supply-chain attacks through typosquatting, secrets/PII exposure in utility tools, and more.

The Arcanum Prompt Injection Taxonomy
Jason Haddix announced (blog) the release of the Arcanum Prompt Injection Taxonomy 1.5, an interactive, open-source classification system for LLM prompt injection attacks. The taxonomy organizes attacks across four dimensions: Attack Intents (goals like data exfiltration or jailbreaking), Attack Techniques (methods like direct or indirect injection), Attack Evasions (obfuscation methods including Base64 encoding and emoji encoding), and Attack Inputs (entry points for attacks). Neat!

I really like the idea of writing down a bunch of your predictions, and then grading them later. One personal frustration I have is that I haven’t done this really. I remember in ~2010 being very surprised that attackers weren’t systematically backdooring open source libraries/supply chain security wasn’t a big thing. Obviously we’ve seen a lot of malicious dependencies over the past few years. I (and you, dear reader), should try to carve out time to write down our predictions.

Comparing AI Agents to Cybersecurity Professionals in Real-World Penetration Testing
Stanford’s Justin Lin, Dan Boneh, and other Stanford, CMU, and Gray Swan AI folks evaluated ten cybersecurity professionals alongside six existing AI agents and ARTEMIS, their new agent scaffold, on a large university network consisting of ~8,000 hosts across 12 subnets. ARTEMIS is a multi-agent framework featuring dynamic prompt generation, arbitrary sub-agents, and automatic vulnerability triaging. ARTEMIS placed second overall, discovering 9 valid vulnerabilities with an 82% valid submission rate and outperforming 9 of 10 human participants.

They found that AI agents offer advantages in systematic enumeration, parallel exploitation, and cost (certain ARTEMIS variants cost $18/hour vs $60/hour for professional penetration testers). Capability gaps: AI agents exhibit higher false-positive rates and struggle with GUI-based tasks.

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I’d really appreciate if you’d forward it to them

P.S. Feel free to connect with me on LinkedIn