AI-Powered Application Penetration Testing—Scale Security Without Compromise Learn More

bishopfox-logo-grey
Get Started

Technical Research

Technical Research

Otto Support - Logging and Visibility in MCP Servers

Otto Support - Logging and Visibility in MCP Servers

May 14, 2026

If any of the MCP attack classes in this series happened in your environment today, would you detect it? Most MCP servers log only a tool name and a timestamp. This post walks through what that gap looks like in practice, how EchoLeak exploited it, and what proper audit logging actually requires.

By Derek Rush
Technical Research

Otto-Support - Supply Chain Risks in MCP Servers

Otto-Support - Supply Chain Risks in MCP Servers

May 13, 2026

What if the MCP server itself is the attacker? Supply chain risk in MCP tools is structural, and the postmark-mcp and ClawHub compromises made it concrete. This post pairs those case studies with otto-support's selfpwn module to show exactly what a hostile MCP server can access the moment it runs.

By Derek Rush
Technical Research

Otto Support - The Confused Deputy

Otto Support - The Confused Deputy

May 8, 2026

When an agent reads attacker-controlled content and acts on it using its own privileges, the user's name ends up on every audit log entry. From Microsoft Copilot to ConfusedPilot, this post walks through how confused deputy attacks work and the layered controls that help contain them.

By Derek Rush
Technical Research

Otto Support - SSRF and Token Passthrough with MCP

Otto Support - SSRF and Token Passthrough with MCP

May 7, 2026

SSRF and token passthrough are not new, but MCP servers are reintroducing them at scale. From a chained SSRF-to-RCE in mcp-atlassian to Microsoft's MarkItDown and OpenClaw, this post walks through three recent disclosures and the controls that actually prevent them.

By Derek Rush
Technical Research

CVE-2026-42208: Pre-Authentication SQL Injection in LiteLLM Proxy

CVE-2026-42208: Pre-Authentication SQL Injection in LiteLLM Proxy

May 6, 2026

Bishop Fox researchers confirmed a critical pre-authentication SQL injection in LiteLLM proxy affecting versions 1.81.16 through 1.83.6. Attackers can exploit it without credentials, and it blends into normal logs. In-the-wild exploitation was observed within 36 hours of the advisory going public.

By Nate Robb
Technical Research

Otto Support - Excessive Agency and Tool Privileges

Otto Support - Excessive Agency and Tool Privileges

May 6, 2026

AI agents connected to too many tools don't just create risk, they've already caused real damage. From deleted databases to mass-wiped mailboxes, excessive agency has a track record. This post breaks down what it looks like in practice and how role-aware tool registration can help contain it.

By Derek Rush
Technical Research

Otto Support – An MCP, Agentic-AI Security Challenge

Otto Support – An MCP, Agentic-AI Security Challenge

Apr 23, 2026

Bishop Fox built a vulnerable MCP-based customer support tool and turned it into a security challenge. Explore how AI agents interact with tools, escalate privileges, and expose sensitive data. If you work with AI systems, this CTF shows exactly how these architectures fail in the real world.

By Derek Rush
Technical Research

Taking Maestro in Stride: AI Threat Modeling Frameworks

Taking Maestro in Stride: AI Threat Modeling Frameworks

Apr 16, 2026

AI agents don’t fit traditional threat models. They act like users, services, and data pipelines at once. Learn why STRIDE alone falls short, how MAESTRO fills the gaps, and why modern AI systems must be treated as insider threats.

By Shad Malloy
Technical Research

Inside Cirro: Attack Paths, Cloud Graphs, and Extensible Schemas

Inside Cirro: Attack Paths, Cloud Graphs, and Extensible Schemas

Apr 9, 2026

Cloud risk doesn’t live in a single permission, it lives in the relationships between them. Discover how Cirro maps hidden attack paths across Azure identities, resources, and data to reveal what attackers actually see.

By Leron Gray
Technical Research

API Authentication Bypass in FortiClient EMS 7.4.5-7.4.6–CVE-2026-35616

API Authentication Bypass in FortiClient EMS 7.4.5-7.4.6–CVE-2026-35616

Apr 7, 2026

Bishop Fox researchers expanded on Fortinet's disclosure of CVE-2026-35616 by identifying the root cause via the released hotfix.

By John Untz
Technical Research

Delivered by Trust: What the Axios Supply Chain Attack Means for Security Leaders

Delivered by Trust: What the Axios Supply Chain Attack Means for Security Leaders

Apr 6, 2026

A trusted package turned into an attacker’s gateway overnight. The Axios supply chain breach shows how quickly risk can spread—and why security leaders must rethink trust in modern development.

By Dillon Sparks
Technical Research

strongSwan CVE-2026-25075: Integer Underflow in VPN Authentication

strongSwan CVE-2026-25075: Integer Underflow in VPN Authentication

Mar 26, 2026

Bishop Fox researchers took a deep dive into a new strongSwan vulnerability that allows unauthenticated attackers to take VPN services offline. We created an easy tool to test your strongSwan deployment & recommend upgrading to version 6.0.5 and later.

By Jon Williams
Technical Research

Pre-Authentication SQL Injection in FortiClient EMS 7.4.4 - CVE-2026-21643

Pre-Authentication SQL Injection in FortiClient EMS 7.4.4 - CVE-2026-21643

Mar 9, 2026

FortiClient EMS 7.4.4 contains a pre-authentication SQL injection vulnerability (CVSS 9.1) in its multi-tenant site routing middleware. An unauthenticated attacker can inject arbitrary SQL by sending a crafted Site HTTP header to any pre-auth endpoint.

By John Untz
Technical Research

Beyond Electron: Attacking Alternative Desktop Application Frameworks

Beyond Electron: Attacking Alternative Desktop Application Frameworks

Mar 3, 2026

Tauri promises a lighter, security-first future beyond Electron—but does it actually reduce risk? Carlos Yanez uncovers how XSS and permissive configs can still be chained into RCE, walking through real-world exploitation techniques every appsec team should understand.

By Carlos Yanez
Technical Research

The Total Cost of AI Ownership: The Costs Not on Your Budget Sheet

The Total Cost of AI Ownership: The Costs Not on Your Budget Sheet

Jan 13, 2026

AI looks affordable at first, licenses, cloud, headcount. But once it’s in production, costs spread across teams, systems, and decisions in ways most models miss. Here’s what we’ve learned about the hidden costs of owning AI long-term.

By Kelly Albrink
Technical Research

GenAI DevOps: More Code, More Problems

GenAI DevOps: More Code, More Problems

Dec 30, 2025

GenAI has made it possible for anyone to ship production code, but security hasn’t caught up. The real risk isn’t bad AI code, it’s how quickly unsafe behavior reaches production. Here’s how to build guardrails so speed doesn’t become liability.

By Derek Rush
Technical Research

MITRE AADAPT Framework as a Red Team Roadmap

MITRE AADAPT Framework as a Red Team Roadmap

Dec 17, 2025

MITRE’s AADAPT framework exposes how attackers target digital-asset systems but the real value comes from testing those threats. Learn how red teaming turns AADAPT into evidence-driven detection, stronger controls, and measurable protection against economic loss.

By Bishop Fox
Technical Research

Arista NextGen Firewall XSS to RCE Chain

Arista NextGen Firewall XSS to RCE Chain

Dec 4, 2025

Arista flagged three NG Firewall bugs as “limited.” Our researchers proved otherwise: real-world remote code execution is possible, and current patches don’t fully fix the root issues. Here’s what’s vulnerable, what we validated, and the steps to cut exposure now.

By Jon Williams, Ronan Kervella, Bishop Fox Researchers
Technical Research

Fortinet FortiWeb Authentication Bypass – CVE-2025-64446

Fortinet FortiWeb Authentication Bypass – CVE-2025-64446

Nov 19, 2025

Bishop Fox researchers discovered an authentication bypass in FortiWeb that lets attackers add their own admin accounts, take over the device, and erase evidence. Organizations can quickly check if they’re exposed using a new Bishop Fox scanner and should remove public access and update immediately.

By Jon Williams, John Untz
Technical Research

How a $20 Smart Device Gave Me Access to Your Home

How a $20 Smart Device Gave Me Access to Your Home

Oct 2, 2025

Bishop Fox research uncovered zero-day vulnerabilities in the YoLink Smart Hub. Anyone using the YoLink Smart Hub v0382 is at risk.

By Nick Cerne
Technical Research

Demystifying 5G Security: Understanding the Registration Protocol

Demystifying 5G Security: Understanding the Registration Protocol

Sep 4, 2025

5G networks face critical security gaps during device registration. Despite improved architecture, unprotected initial messages and weak encryption negotiation create attack windows. Learn how to identify and mitigate these vulnerabilities.

By Drew Jones
Technical Research

Vulnerability Discovery with LLM-Powered Patch Diffing

Vulnerability Discovery with LLM-Powered Patch Diffing

Aug 15, 2025

Read our most recent research to see how LLMs can assist in scaling patch diffing workflows, saving valuable time in a crucial race against attackers.

By Jon Williams
Technical Research

Next-Level Fingerprinting: Tools, Logic, and Tactics

Next-Level Fingerprinting: Tools, Logic, and Tactics

Aug 6, 2025

Explore how combining AI-assisted research with real-world data and signature normalization can significantly improve fingerprinting capabilities.

By Aaron Ringo
Technical Research

You’re Pen Testing AI Wrong: Why Prompt Engineering Isn’t Enough

You’re Pen Testing AI Wrong: Why Prompt Engineering Isn’t Enough

Jul 9, 2025

Conventional pen testing methods fall short with LLMs. Static prompt tests miss adversarial context manipulation and latent model behaviors. Explore how to test AI systems like an attacker.

By Brian D.
Load More

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.