Pentest-Tools.com (@pentest-tools.com)

The new Offensive Security Research Hub on Pentest-Tools.com (led by Matei Badanoiu) shares the full discovery path: from anomalous behavior to validated vulnerability.

Original research for the hacker community: pentest-tools.com/research

#vulnerabilityresearch #infosec

09.03.2026 15:39 👍 0 🔁 0 💬 0 📌 0

Offensive Security Research Hub - Pentest-Tools.com

Most research write-ups tell you what the bug is. Very few show you how someone actually got there.

That gap matters.

09.03.2026 15:39 👍 0 🔁 0 💬 1 📌 0

Many thanks to Matei Badanoiu, Raul Bledea and Eusebiu Boghici for their contributions.

#offensivesecurity #vulnerabilityresearch #pentesting #infosec

Out of curiosity: how often do you still run into 10+ year-old libraries during engagements?

05.03.2026 15:46 👍 0 🔁 0 💬 0 📌 0

Result: full web app compromise.

We published the full exploit chain on our blogpost so practitioners can reproduce and validate the findings. Read the detailed research here: pentest-tools.com/blog/throwin...

05.03.2026 15:46 👍 0 🔁 0 💬 1 📌 0

💉 SQL injection (PTT-2025-030): usernames extracted during password reset (optional step)

⚡ PHP code execution (PTT-2025-026): unsanitized backslashes in the Dwoo parser resulting in RAW PHP CODE EXECUTION

05.03.2026 15:45 👍 0 🔁 0 💬 1 📌 0

The root causes? A *12-year-old Dwoo templating engine* and *outdated CodeIgniter3 code* still lurking in production systems.

The exploit chain combines:

🔓 Account takeover (PTT-2025-025): reset password tokens leaked by sending them to the attacker's inbox

05.03.2026 15:45 👍 0 🔁 0 💬 1 📌 0

Seven bugs. One unauthenticated RCE chain. Zero clicks.

This original research by our offensive security team into FuelCMS (v1.5.2) uncovered seven new vulnerabilities. By chaining some of them, we achieved Remote Code Execution (RCE).

05.03.2026 15:45 👍 0 🔁 0 💬 1 📌 0

Because real #pentesting workflows aren’t perfect - and good demos shouldn’t pretend they are.

What should we try (or possibly break) in the next demo? 👇

Sacha is also one of our most precious collaborators, check out his articles on our blog: pentest-tools.com/blog/authors...

04.03.2026 13:21 👍 0 🔁 0 💬 0 📌 0

📁 How he organizes targets with workspaces

📊 How he spots critical vulnerabilities from the dashboard

🔍 How he chains tools to validate findings faster

04.03.2026 13:21 👍 0 🔁 0 💬 1 📌 0

No polished slides. No “everything works on the first try.”

Just real demos - where things might break, scans might fail, and you see how practitioners adapt.

In the first session, Sacha Iakovenko walks through his process:

04.03.2026 13:21 👍 0 🔁 0 💬 1 📌 0

Pentest-Tools.com LIVE: Expert-led demo sessions #1 YouTube video by Pentest-Tools

Demo time! The place where tools behave perfectly… until you hit “Start.” 😅

We’ve launched a bi-weekly demo series where #offensivesecurity practitioners show how they *actually* use Pentest-Tools.com in real workflows.

youtu.be/TXoFOyOlyec?...

04.03.2026 13:20 👍 0 🔁 0 💬 1 📌 0

Catch the full breakdown in this link: pentest-tools.com/change-log

Until next time: Stay sharp. Stay human.

03.03.2026 14:13 👍 0 🔁 0 💬 0 📌 0

🛡️ New detection: Redis RCE - identify exploitable Redis instances (CVE-2025-62507) across internet-facing and internal segments.

🧭 Granular scan logs - Website and API Scanners now display discoveries in the console output in real-time.

03.03.2026 14:13 👍 0 🔁 0 💬 1 📌 0

🎯 One-click RCE validation - Sniper: Auto-Exploiter now supports controlled exploitation for Telnet (CVE-2026-24061) and Ivanti EPMM (CVE-2026-1281) for confirmed proof-of-impact.

03.03.2026 14:13 👍 0 🔁 0 💬 1 📌 0

🔐 ISO 27001 certified - we are officially ISO/IEC 27001:2022 certified, providing verified assurance for your sensitive findings.

03.03.2026 14:12 👍 0 🔁 0 💬 1 📌 0

February 2026 on Pentest-Tools.com: Better visibility, validated RCEs, and smoother compliance YouTube video by Pentest-Tools

February was about moving from detection to proof.

Here are the top updates in Pentest-Tools.com:

🧪 New research hub - we launched the Offensive Security Research Hub to share original 0-day research, working PoCs, and technical exploit chains built by our own team.

03.03.2026 14:11 👍 0 🔁 0 💬 1 📌 0

Bookmark this link, we're going to update it frequently with new learnings: pentest-tools.com/research

#vulnerabilityresearch #ethicalhacking #infosec

02.03.2026 12:56 👍 0 🔁 0 💬 0 📌 0

No summaries. No recycled advisories.

This is practitioner-grade research from people who _actively_ hunt and validate vulnerabilities.

If you want to understand how experienced attackers approach complex targets, start here.

02.03.2026 12:56 👍 0 🔁 0 💬 1 📌 0

You’ll see:

🛠️ Working PoCs and reproducible exploit paths
🧠 The exact reasoning that turned strange behavior into confirmed impact
⚖️ Field-tested analysis of edge cases, constraints, and trade-offs

02.03.2026 12:56 👍 1 🔁 0 💬 2 📌 0

Our #offensivesecurity team - led by Matei Badanoiu (CVE Jesus) - publishes original research: newly discovered vulnerabilities, deep technical write-ups, and full exploit chains built from real-world investigation.

02.03.2026 12:55 👍 0 🔁 0 💬 1 📌 0

Offensive Security Research Hub - Pentest-Tools.com

We just launched the Offensive Security Research Hub on Pentest-Tools.com!
This isn’t a CVE recap page.

02.03.2026 12:55 👍 0 🔁 0 💬 1 📌 0

3️⃣ The reporting drain

Evidence scattered. Deadline tomorrow.

We consolidate validated findings into client-ready reports, no copy-paste grind - automatically.

Want to dig deeper into IRL examples? Explore all product capabilities and features here:

pentest-tools.com/features

27.02.2026 13:15 👍 0 🔁 0 💬 0 📌 0

2️⃣ False positive fatigue

Your scanner flags 40 “critical” issues. Half won’t reproduce.

Validated findings with HTTP logs, exploit traces, and attack replay options let you focus on what’s really exploitable, not what’s noisy.

#offensivesecurity #penetrationtesting #vulnerabilitymanagement

27.02.2026 13:15 👍 0 🔁 0 💬 1 📌 0

Here's how we can help take away some (or even most!) of the pain:

1️⃣ “Is it actually exploitable?”

A 9.8 CVE drops. Version checks say “maybe.” 🤷‍♂️

We validate flaws like the recent React2Shell or RegreSSHion with safe exploit logic so you prove exposure, not guess it.

27.02.2026 13:14 👍 0 🔁 0 💬 1 📌 0

Features - Pentest-Tools.com

“Is it actually exploitable?”

"Is this an FP?"

"Is the report ready?"

You're probably sick & tired of dealing with these repetitive issues and it's probably because...

Fast scans don’t solve real problems. Proof does.

27.02.2026 13:14 👍 0 🔁 0 💬 1 📌 0

Want to find out more about BSides and maybe join in? Check out the details: 0x7ea.bsidesljubljana.si

25.02.2026 13:32 👍 0 🔁 0 💬 0 📌 0

To give you an idea of where that journey led: Razvan is one of fewer than 400 people worldwide who hold the GIAC Security Expert (GSE) certification (he is GSE 298).

If you’re early in your career and curious about pentesting, this one’s worth your time.

25.02.2026 13:31 👍 0 🔁 0 💬 1 📌 0

On Mar 13th 2026, Razvan-Costin IONESCU will have a career talk at Security BSidesLjubljana on how he made that shift: what helped, what slowed him down, and what to focus on if you want in.

25.02.2026 13:31 👍 0 🔁 0 💬 1 📌 0

Razvan Ionescu - Career talk @ BSIDES LJUBLJANA

From writing test cases to writing exploit paths.

The jump from QA to penetration testing isn’t magic. It’s mindset, reps, and a lot of uncomfortable learning.

25.02.2026 13:30 👍 0 🔁 0 💬 1 📌 0

No context switching. No rebuilding reports from scratch.

If reporting still feels heavier than testing, this link shows exactly how we handle it (sample report included): pentest-tools.com/features/vul...

24.02.2026 14:22 👍 0 🔁 0 💬 0 📌 0

Pentest-Tools.com

Latest posts by Pentest-Tools.com @pentest-tools.com