This talk builds on our previous SSL VPN work (NachoVPN) - and surprise surprise: Zero Trust still isn’t Zero Risk. If you’re in Vegas, swing by, or hit us up. #DEFCON33 #ZTNA #SASE #ZeroTrust #RedTeam #AmberWolf #VEGAS #DEFCON.

What to expect:.🔓 Bypassing auth and posture checks.📈 Privilege escalation.🔁 Inter-process comms abuse.🚨 Previously undisclosed vulns.🎯 Real-world tradecraft.

We’re dropping fresh research into ZTNA and SASE platforms like ZScaler, Netskope, and Check Point - and showing how “next-gen” cloud VPNs are still vulnerable to some old-school bugs… and a few nasty new ones.

🎤 #DEFCON33 - We’re Presenting!.Big news: AmberWolf is hitting the DEF CON 33 stage this August. Our very own Rich Warren and David Cash (@buffaoverflow and @jonnyspandex respectively) will be presenting Zero Trust, Total Bust – Breaking into thousands of cloud VPNs with one bug.

Read our full analysis of the vulnerability and its potential exploitation here:

These core dumps may contain sensitive data and compromise the integrity of ThinOS’s storage encryption, directly contradicting Dell’s documentation, which states that all partitions except the boot partition are encrypted.

If the device configuration allows it, this option can be accessed by unauthenticated users. In addition, previously generated core dumps may be accessible to unauthenticated attackers.

AmberWolf has published technical details on CVE-2025-32752, a vulnerability affecting Dell ThinOS. Security researcher @R3n5k1 discovered that when the troubleshooting feature “Create Core Dump” is used, ThinOS saves core dumps to an unencrypted partition.

You can read our latest blog at

The Kubernetes Security Response Committee has published an advisory for CVE-2024-9042, affecting Windows worker nodes querying the /logs endpoint. Iain Smart, Principal Security Consultant at AmberWolf, reproduced the issue & shared detection insights in our latest blog.

All I want for Christmas is U(RL handlers not vulnerable to RCE). AmberWolf has published information about CVE-2024-12908, a Remote Code Execution vulnerability in the Delinea Secret Server Protocol Handler. You can read our blog & PoC here:.

CVE-2024-5921 is a Remote Code Execution and Privilege Escalation vulnerability in Palo Alto Global Protect, which is also exploitable using NachoVPN. Our full technical write up is available here:

CVE-2024-29014 is an RCE as SYSTEM vulnerability in SonicWall NetExtender that is exploitable using NachoVPN. Full technical details of the vulnerability are available in out blog:

You can get the code, the prebuilt container or contribute modules on GitHub:

NachoVPN is a modular server that allows for the automatic exploitation of VPN clients when they connect. It currently supports Cisco AnyConnect, SonicWall NetExtender, Palo Alto GlobalProtect and Pulse/Ivanti Connect Secure) across a multiple platforms.

Today, AmberWolf released two blog posts and our tool "NachoVPN" to target vulnerabilities in major VPNs, including CVE-2024-29014 (SonicWall NetExtender SYSTEM RCE) and CVE-2024-5921 (Palo Alto GlobalProtect RCE and Priv Esc), after our SANS HackFest presentation.🧵.

RT @buffaloverflow: Heres the slides from our HackFest Hollywood talk. We shared details on a new Palo Alto 0day and provide some tips on….

AmberWolf is hiring experienced Red Team operators! Join our fun, supportive team if you have (or have had) CCSAS/CCSAM certs and a passion for delivering world-class engagements. Apply now: #hiring #RedTeam.

The slides for @buffaloverflow and @johnnyspandex's "Very Pwnable Networks: Exploiting the Top Corporate VPN Clients for Remote Root and SYSTEM Shells" are now available on our GitHub: #hackfest.

RT @jon__reiter: Richard and David from @AmberWolfSec speaking about Very Pwnable Networks: Exploiting the Top Corporate VPN Clients for R….