Two vulnerabilities have been identified in RapidFire Tools Network Detective, a system assessment and reporting tool developed by Kaseya (RapidFire Tools). These issues significantly compromise the confidentiality and integrity of credentials gathered and processed during routine network scans, exposing sensitive data to both local attackers and potentially malicious insiders.
Vulnerability 1: Passwords in Cleartext
During its normal operation, Network Detective saves usernames and passwords in plain, readable text across several temporary files. These files are stored locally on the device and are not protected or hidden. In many cases, the credentials collected include privileged or administrative accounts, such as those used for VMware.
An attacker who gains access to the machine running the scan—whether physically, remotely, or through malware—can easily retrieve these passwords without needing to decrypt anything. This presents a serious risk to client infrastructure, especially when those credentials are reused or provide broad system access.
Vulnerability 2: Reversible Encryption
RapidFire Tools Network Detective uses a flawed method to encrypt passwords and other sensitive data during network scans. The encryption process is based on static, built-in values, which means it produces the same result every time for the same input. This makes it possible for anyone with access to the tool or encrypted data to easily reverse the encryption and retrieve original passwords.
This weakness puts client environments at risk, especially since the encrypted data often includes administrative credentials. The encryption does not follow modern security standards, and attackers do not need special tools or expertise to break it—only access to the files or application.
Analysis and Background
Network Detective, a product developed by RapidFire Tools (a Kaseya company), is designed to scan networks for vulnerabilities, misconfigurations, and compliance issues. It is used by managed service providers (MSPs), IT consultants, and internal IT departments to assess network health and generate reports. While commonly deployed as a standalone binary for one-off scans—often during sales or onboarding—Network Detective also supports scheduled, recurring scans in installed environments.
The application is typically configured via a step-by-step wizard, prompting users to define targets (e.g., IP ranges), scan types (e.g., HIPAA, PCI), and credentials for services such as Active Directory or VMware. This configuration is stored locally and reused for automated scans. Notably, the same binaries are used for both ad hoc and scheduled executions, meaning any vulnerabilities affect both deployment models equally.
Due to its ease of use and deep network visibility, the tool is often run with elevated privileges across production systems. Users implicitly trust the application to securely handle credentials and sensitive data. However, the issues discovered occur under default conditions, without requiring misuse or advanced manipulation—highlighting a significant risk for environments relying on the tool for security posture validation.
Ian Carroll, Sam Curry / ian.sh
When applying for a job at McDonald's, over 90% of franchises use "Olivia," an AI-powered chatbot. We discovered a vulnerability that could allow an attacker to access more than 64 million job applications. This data includes applicants' names, resumes, email addresses, phone numbers, and personality test results.
McHire is the chatbot recruitment platform used by 90% of McDonald’s franchisees. Prospective employees chat with a bot named Olivia, created by a company called Paradox.ai, that collects their personal information, shift preferences, and administers personality tests. We noticed this after seeing complaints on Reddit of the bot responding with nonsensical answers.
During a cursory security review of a few hours, we identified two serious issues: the McHire administration interface for restaurant owners accepted the default credentials 123456:123456, and an insecure direct object reference (IDOR) on an internal API allowed us to access any contacts and chats we wanted. Together they allowed us and anyone else with a McHire account and access to any inbox to retrieve the personal data of more than 64 million applicants.
We disclosed this issue to Paradox.ai and McDonald’s at the same time.
06/30/2025 5:46PM ET: Disclosed to Paradox.ai and McDonald’s
06/30/2025 6:24PM ET: McDonald’s confirms receipt and requests technical details
06/30/2025 7:31PM ET: Credentials are no longer usable to access the app
07/01/2025 9:44PM ET: Followed up on status
07/01/2025 10:18PM ET: Paradox.ai confirms the issues have been resolved
Salt Typhoon, a state-sponsored actor linked to the People’s Republic of China, has breached at least nine U.S.-based telecommunications companies with the intent to target high profile government and political figures. Tenable Research examines the tactics, techniques and procedures of this threat actor.
A New Era of macOS Sandbox Escapes: Diving into an Overlooked Attack Surface and Uncovering 10+ New Vulnerabilities
This is a blog post for my presentation at the conference POC2024. The slides are uploaded here.
In the macOS system, most processes are running in a restricted sandbox environment, whether they are Apple’s own services or third-party applications. Consequently, once an attacker gains Remote Code Execution (RCE) from these processes, their capabilities are constrained. The next step for the attacker is to circumvent the sandbox to gain enhanced execution capabilities and broader file access permissions.
But how to discover sandbox escape vulnerabilities? Upon reviewing the existing issues, I unearthed a significant overlooked attack surface and a novel attack technique. This led to the discovery of multiple new sandbox escape vulnerabilities: CVE-2023-27944, CVE-2023-32414, CVE-2023-32404, CVE-2023-41077, CVE-2023-42961, CVE-2024-27864, CVE-2023-42977, and more.
Threema is a Swiss encrypted messaging application. It has more than 10 million users and more than 7000 on-premise customers. Prominent users of Threema include the Swiss Government and the Swiss Army, as well as the current Chancellor of Germany, Olaf Scholz. Threema has been widely advertised as a secure alternative to other messengers.
In our work, we present seven attacks against the cryptographic protocols used by Threema, in three distinct threat models. All the attacks are accompanied by proof-of-concept implementations that demonstrate their feasibility in practice.
Hertzbleed attack targets power-conservation feature found on virtually all modern CPUs.
