Ethical research, responsible disclosure, real impact.

For over 15 years, members of our team have been actively contributing to the information security community – particularly through their involvement in the BackBox Linux project. Vulnerability research is not just part of our work; it’s part of who we are.

Our team dedicates a significant portion of its time to 0day vulnerability research, exploit development, and continuous knowledge sharing. This commitment stems from a strong ethical motivation: securing the digital world by identifying, analyzing, and responsibly disclosing security flaws before malicious actors can exploit them.

All findings are handled through a strict responsible disclosure process. For each issue, we publish a detailed advisory outlining the vulnerability, its impact, proof of concept (when applicable), and suggested remediation steps. Over the years, our team has obtained multiple CVE identifiers, many of which stem from long-term research efforts and our close ties to the BackBox community.

We believe that knowledge should be shared. Beyond advisories, we contribute to open-source projects, publish research articles, and speak at conferences, openly sharing our methodologies, tools, and lessons learned.

Below is a curated list of the last CVEs disclosed by our team, with technical descriptions and relevant resources.

A bypass of the original fix for CVE-2021-45811 in osTicket 1.15.x allows authenticated attackers to exploit the same SQL injection vulnerability.

Cross Site Scripting vulnerability in Zucchetti Ad Hoc Infinity 2.4 allows an authenticated attacker to achieve Remote Code Execution via the /jsp/home.jsp, /jsp/gsfr_feditorHTML.jsp, /servlet/SPVisualZoom, /jsp/gsmd_container.jsp components.

In Zucchetti Ad Hoc Infinity 2.4, an improper check on the m_cURL parameter allows an attacker to redirect the victim to an attacker-controlled website after the authentication.

Cross Site Scripting vulnerability in Zucchetti Ad Hoc Infinity 2.4 allows an authenticated attacker to achieve Remote Code Execution via the /servlet/gsdm_fsave_htmltmp, /servlet/gsdm_btlk_openfile components.

A local file include vulnerability in the /servlet/Report of Zucchetti Ad Hoc Infinity 2.4 allows an authenticated attacker to achieve Remote Code Execution by uploading a jsp web/reverse shell through /jsp/zimg_upload.jsp.

If you’re interested in our past advisories, visit the dedicated page on BackBox.org for a complete archive and technical insights.