The final research blog from @SLCyberSec's Christmas in July concerns three more critical vulnerabilities that our security researchers have uncovered in Adobe Experience Manager Forms: two paths to RCE and a pre-authentication XXE

Our Security Research team at @SLCyberSec found four vulnerabilities in the quality management platform ETQ Reliance, including a critical Remote Command Execution:

Blazing-fast image creation – using just your voice. Try Grok Imagine.

Sometimes, SQL injection is still possible, even when prepared statements are being used. Our researcher @hash_kitten has written up a blog post about a novel technique for SQL Injection in PDO’s prepared statements:

Our Security Research team at @SLCyberSec discovered a pre-authentication RCE vulnerability in Sawtooth Lighthouse Studio (CVE-2025-34300). It affects all versions up to 9.16.14. Read more here:

Continuing @SLCyber’s Christmas in July posts, our Security Research team discovered a pre-authentication NTLM hash disclosure vulnerability in DNN (formerly DotNetNuke), assigned CVE-2025-52488. Read more on our blog here:

For our first Christmas in July research post: How we managed to get persistent XSS on every Adobe Experience Manager Cloud instance three times!

We’re trying to buck the trend of critical vulnerabilities all landing at the end of the year, much to the despair of security professionals! This July, we’ll be publishing a series of vulnerabilities across the month. Stay tuned:

Our team recently used a novel technique to increase the impact of what seemed to be only a blind SSRF. This novel technique involving HTTP redirect loops and incremental status codes led to full HTTP response leakage. Read more on @SLCyberSec blog here:

Our security research team discovered a critical pre-authentication SQL injection vulnerability in Halo ITSM, a popular IT support software, often externally exposed and sensitive: Read more here:

Our security research team recently analyzed the authentication bypass vulnerability in Next.js (CVE-2025-29927). Our blog post details how to detect this vulnerability with more reliability. Read more here:

Our security research team discovered a pre-auth RCE (CVE-2025-27218) in Sitecore XP 10.4. You can read our research here:

Our security research team discovered an authentication bypass in Palo Alto's PAN-OS management interface. Our discoveries come shortly after exploit chains were released at the end of 2024 after a deeper investigation. You can read our research here:

We are thrilled to announce that Assetnote has been acquired by Searchlight Cyber! This is an exciting new chapter for our team as we continue our mission of providing our customers with a market-leading ASM solution. Joining forces with Searchlight Cyber means that we will be

🛠️ Building attack surface visibility from scratch taught us a crucial lesson: DNS wildcard detection requires more than open-source tools. Dive into our engineering journey:.Spotify: .Apple Podcasts: .YouTube:

Modern enterprise infrastructure isn't just cloud-centric - it's protected by WAFs and CDNs. This architectural shift creates new challenges for traditional asset discovery approaches. Understanding your entire attack surface requires adapting to these architectural realities.

🔒 The automation challenge in security:.Many orgs struggle to automate vulnerability detection safely. Our solution? Finding the sweet spot:.- Automated discovery.- Proven exploitability.- Zero disruption.- Safe execution. Learn how we make it work 🎧 .Spotify:

What looks like a niche vulnerability in one attack surface becomes a pattern when you look across thousands. That's the power of automated depth in modern ASM. Listen to our full discussion: .Spotify: .Apple Podcasts: .YouTube:

🔍 The origin story of true ASM:.'We need to capture everything - new ports, changes, technologies - anything that could lead to exploitation.'.But monitoring isn't enough. Real ASM combines:.- Real-time asset awareness.- Scalable coverage.- True exploitability assessment. Listen

🛡️ Finding vulnerabilities is just the first step. The untold story: Our teams often spend weeks developing effective mitigations, working to have solutions ready before vendor patches. Because security isn't just about discovery - it's about protection. Learn more 🎧 .Spotify:

In our Surfacing Security Podcast, we redefine #AttackSurfaceManagement. It's not just asset discovery - it's about integrating real-time asset awareness into core security processes. Learn how this approach elevates threat intel, incident response, and overall security posture.