HackTricks-wiki · carlospolop · Dec 21, 2025
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
@@ -375,6 +375,7 @@
     - [Objection Tutorial](mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md)
   - [Google CTF 2018 - Shall We Play a Game?](mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md)
   - [In Memory Jni Shellcode Execution](mobile-pentesting/android-app-pentesting/in-memory-jni-shellcode-execution.md)
+  - [Inputmethodservice Ime Abuse](mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md)
   - [Insecure In App Update Rce](mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md)
   - [Install Burp Certificate](mobile-pentesting/android-app-pentesting/install-burp-certificate.md)
   - [Intent Injection](mobile-pentesting/android-app-pentesting/intent-injection.md)

diff --git a/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md b/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md
@@ -81,3 +81,4 @@ adb shell ime help
 - **User/MDM**: allowlist trusted keyboards; block unknown IMEs in managed profiles/devices.
 - **App-side (high risk apps)**: prefer phishing-resistant auth (passkeys/biometrics) and avoid relying on “secret text entry” as a security boundary (a malicious IME sits below the app UI).
 
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/4840-pentesting-opc-ua.md b/src/network-services-pentesting/4840-pentesting-opc-ua.md
@@ -65,8 +65,14 @@ opalopc -vv opc.tcp://$target_ip_or_hostname:$target_port
   1. Enumerate policies with `GetEndpoints` and note any `Basic128Rsa15` entries.
   2. Negotiate that policy explicitly (`SecurityPolicyUri` in `CreateSession`), then run your oracle loop until the recovered key validates.
   3. Abuse the key to forge a high-privilege session, switch roles, or silently downgrade other clients by acting as a rogue reverse proxy.
+- **CODESYS Runtime Toolkit (<3.5.21.0)** re-enabled Basic128Rsa15 whenever integrators compile with `CMPOPCUASTACK_ALLOW_SHA1_BASED_SECURITY`. Flip that flag, re-run the oracle workflow above, and you can leak the runtime's private key to impersonate trusted engineering workstations until patch level 3.5.21.0 or later is deployed.
 - OPC Foundation simultaneously published CVE-2024-42513 for HTTPS bindings. Even if your target claims TLS, make sure it is not silently falling back to Basic128Rsa15 for the binary transport behind the proxy.
 
+### 2024-2025 exploit watchlist
+
+- **open62541 fuzz_binary_decode (CVE-2024-53429):** SecureChannel chunks that declare oversized `ExtensionObject` bodies make the decoder dereference freed memory, so a pre-auth attacker can repeatedly crash UA servers that embed open62541 ≤1.4.6. Reuse the Claroty corpus (`opcua_message_boofuzz_db`) or craft your own Boofuzz harness to spam mutated `OpenSecureChannel` requests until the watchdog kills the process, then re-enumerate because many integrators fall back to anonymous mode after the reboot.
+- **Softing OPC UA C++ SDK / edgeConnector / edgeAggregator (CVE-2025-7390):** The TLS client-auth pipeline accepts any certificate that replays a trusted Common Name, so you can mint a throwaway cert, copy the CN from a plant engineer, and log in with arbitrary `UserNameIdentityToken` or `IssuedIdentityToken` data. Pair this with a downgrade to Basic128Rsa15 to strip integrity checks and persistently impersonate operators until trustlists are rebuilt.
+
 ### Crafting OPC UA clients for exploitation
 
 - **Custom clients:** Drop-in libraries (python-opcua/asyncua, node-opcua, open62541) let you drive exploit logic yourself. Always enforce your target namespace index to avoid accidental cross-namespace writes when vendors reorder namespaces after firmware updates.
@@ -114,6 +120,8 @@ Combine the search with vendor strings (`"Ignition OPC UA"`, `"KepServerEX"`) or
 - [https://opalopc.com/how-to-hack-opc-ua/](https://opalopc.com/how-to-hack-opc-ua/)
 - [https://github.com/claroty/opcua-exploit-framework](https://github.com/claroty/opcua-exploit-framework)
 - [https://certvde.com/en/advisories/VDE-2025-022/](https://certvde.com/en/advisories/VDE-2025-022/)
+- [https://nvd.nist.gov/vuln/detail/CVE-2024-53429](https://nvd.nist.gov/vuln/detail/CVE-2024-53429)
+- [https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-7390.html](https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-7390.html)
 
 
 {{#include ../banners/hacktricks-training.md}}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -81,3 +81,4 @@ adb shell ime help
		- User/MDM: allowlist trusted keyboards; block unknown IMEs in managed profiles/devices.
		- App-side (high risk apps): prefer phishing-resistant auth (passkeys/biometrics) and avoid relying on “secret text entry” as a security boundary (a malicious IME sits below the app UI).

		{{#include ../../banners/hacktricks-training.md}}