Offensive
Security Blog

Technical Research

Otto Support - Logging and Visibility in MCP Servers

May 14, 2026

If any of the MCP attack classes in this series happened in your environment today, would you detect it? Most MCP servers log only a tool name and a timestamp. This post walks through what that gap looks like in practice, how EchoLeak exploited it, and what proper audit logging actually requires.

By Derek Rush

Technical Research

Otto-Support - Supply Chain Risks in MCP Servers

May 13, 2026

What if the MCP server itself is the attacker? Supply chain risk in MCP tools is structural, and the postmark-mcp and ClawHub compromises made it concrete. This post pairs those case studies with otto-support's selfpwn module to show exactly what a hostile MCP server can access the moment it runs.

By Derek Rush

Industry

Introducing Joro: Using AI to Build Security Tooling

May 12, 2026

Bishop Fox is releasing Joro, a collaborative web exploitation framework built almost entirely with AI. From intercepting proxy to C2 integration, this post covers how it was built, what it does, and what AI-assisted security tool development actually looks like in practice.

By Tony West

Technical Research

Otto Support - The Confused Deputy

May 8, 2026

When an agent reads attacker-controlled content and acts on it using its own privileges, the user's name ends up on every audit log entry. From Microsoft Copilot to ConfusedPilot, this post walks through how confused deputy attacks work and the layered controls that help contain them.

By Derek Rush

Technical Research

Otto Support - SSRF and Token Passthrough with MCP

May 7, 2026

SSRF and token passthrough are not new, but MCP servers are reintroducing them at scale. From a chained SSRF-to-RCE in mcp-atlassian to Microsoft's MarkItDown and OpenClaw, this post walks through three recent disclosures and the controls that actually prevent them.

By Derek Rush

Technical Research

CVE-2026-42208: Pre-Authentication SQL Injection in LiteLLM Proxy

May 6, 2026

Bishop Fox researchers confirmed a critical pre-authentication SQL injection in LiteLLM proxy affecting versions 1.81.16 through 1.83.6. Attackers can exploit it without credentials, and it blends into normal logs. In-the-wild exploitation was observed within 36 hours of the advisory going public.

By Nate Robb

Technical Research

Otto Support - Excessive Agency and Tool Privileges

May 6, 2026

AI agents connected to too many tools don't just create risk, they've already caused real damage. From deleted databases to mass-wiped mailboxes, excessive agency has a track record. This post breaks down what it looks like in practice and how role-aware tool registration can help contain it.

By Derek Rush

Industry

Azure Hacking: New Cloudfoxable Challenges

May 4, 2026

Cloudfoxable started as a hands-on AWS security training tool. Now it's expanding. Bishop Fox has launched the first set of Azure challenges, giving security professionals a safe, intentionally misconfigured environment to explore identity-driven attack paths and privilege escalation in Azure.

By Gerben Kleijn

Industry

Introducing AIMap: Security Testing For AI Agent Infrastructure

Apr 30, 2026

Attackers can already find, connect to, and probe your exposed AI agent infrastructure. AIMap gives defenders that same visibility. Built by Bishop Fox, this open-source tool discovers, scores, and tests exposed AI endpoints so you can understand your real attack surface before someone else does.

By Aashiq Ramachandran

Technical Research

Otto Support – An MCP, Agentic-AI Security Challenge

Apr 23, 2026

Bishop Fox built a vulnerable MCP-based customer support tool and turned it into a security challenge. Explore how AI agents interact with tools, escalate privileges, and expose sensitive data. If you work with AI systems, this CTF shows exactly how these architectures fail in the real world.

By Derek Rush

Industry

Understanding the CVE Ecosystem and NIST’s Changing Role

Apr 22, 2026

NIST just announced it's prioritizing CVE enrichment for government systems and deprioritizing everything else. For security teams that rely on NVD data, the gap is real. Here's what changed, why it's been coming for years, and what your team should do to stay ahead of the risk.

By Richard Brown

Technical Research

Taking Maestro in Stride: AI Threat Modeling Frameworks

Apr 16, 2026

AI agents don’t fit traditional threat models. They act like users, services, and data pipelines at once. Learn why STRIDE alone falls short, how MAESTRO fills the gaps, and why modern AI systems must be treated as insider threats.

By Shad Malloy

Industry

Anthropic’s Claude Mythos Preview: The AI Cybersecurity Inflection Point

Apr 14, 2026

AI just crossed a threshold. Anthropic’s Claude Mythos can discover and chain vulnerabilities at scale—faster than teams can remediate. What does this mean for your security program, your providers, and your ability to keep up before attackers do?

By Bishop Fox

Technical Research

Inside Cirro: Attack Paths, Cloud Graphs, and Extensible Schemas

Apr 9, 2026

Cloud risk doesn’t live in a single permission, it lives in the relationships between them. Discover how Cirro maps hidden attack paths across Azure identities, resources, and data to reveal what attackers actually see.

By Leron Gray

Technical Research

API Authentication Bypass in FortiClient EMS 7.4.5-7.4.6–CVE-2026-35616

Apr 7, 2026

Bishop Fox researchers expanded on Fortinet's disclosure of CVE-2026-35616 by identifying the root cause via the released hotfix.

By John Untz

Technical Research

Delivered by Trust: What the Axios Supply Chain Attack Means for Security Leaders

Apr 6, 2026

A trusted package turned into an attacker’s gateway overnight. The Axios supply chain breach shows how quickly risk can spread—and why security leaders must rethink trust in modern development.

By Dillon Sparks

Technical Research

strongSwan CVE-2026-25075: Integer Underflow in VPN Authentication

Mar 26, 2026

Bishop Fox researchers took a deep dive into a new strongSwan vulnerability that allows unauthenticated attackers to take VPN services offline. We created an easy tool to test your strongSwan deployment & recommend upgrading to version 6.0.5 and later.

By Jon Williams

Industry

Accidental Engineer: Building My First Hardware Tool the Hard Way

Mar 17, 2026

I set out to build a rugged badge-cloning tool for field use, with zero hardware background. This is the story of learning electrical engineering from scratch, navigating bad assumptions, and discovering that curiosity, persistence, and hands-on testing can take you further than you think.

By Raf Marconi

Industry

Winning CTFs: A Proving Ground at HackMex & Ekoparty

Mar 13, 2026

CTF competitions push offensive security skills to their limits. In 2025, the Bishop Fox Mexico team claimed first place at both HackMex Finals and EkoParty Red Team Space. Discover how the team navigated web exploitation, infrastructure compromise, and AWS attack paths to win.

By Luis De la Rosa Hernandez

Technical Research

Pre-Authentication SQL Injection in FortiClient EMS 7.4.4 - CVE-2026-21643

Mar 9, 2026

FortiClient EMS 7.4.4 contains a pre-authentication SQL injection vulnerability (CVSS 9.1) in its multi-tenant site routing middleware. An unauthenticated attacker can inject arbitrary SQL by sending a crafted Site HTTP header to any pre-auth endpoint.

By John Untz

Technical Research

Beyond Electron: Attacking Alternative Desktop Application Frameworks

Mar 3, 2026

Tauri promises a lighter, security-first future beyond Electron—but does it actually reduce risk? Carlos Yanez uncovers how XSS and permissive configs can still be chained into RCE, walking through real-world exploitation techniques every appsec team should understand.

By Carlos Yanez

Industry

Introducing CloudFox GCP: Attack Path Identification for Google Cloud

Feb 26, 2026

Meet CloudFox GCP, an offensive security tool built to map identities, enumerate resources, and uncover real attack paths in Google Cloud. Designed for practitioners, it exposes privilege escalation, lateral movement, and data exfiltration risks so you can secure GCP before attackers exploit it.

By Joseph Barcia

Advisory

Samsung Tizen OS | Version Through 9.0

Feb 24, 2026

Bishop Fox identified a low-risk command injection flaw in Samsung Tizen OS (through 9.0) that allows OS-level code execution on smart TVs with developer mode enabled. Exploitation requires local access and the configured developer IP. Organizations should disable developer mode or use kiosk mode.

By Bishop Fox Researchers

Industry

AI & Security Risks: Reviewing Governance and Guardrails

Feb 19, 2026

Moving fast with AI is easy. Governing it isn’t. In this discussion, security and AI leaders share real-world lessons on inventory, least privilege, measurable outcomes, and building guardrails before scaling adoption.

By Bishop Fox