Our team recently attended the RomHack Conference 2025. In keeping with our tradition, we are pleased to share a review of our favorite presentations from the event.

HTTP/1.1 Must Die! The Desync Endgame by James “albinowax” Kettle

James Kettle, from PortSwigger, kicked off the day by explaining that the HTTP/1.1 protocol is fundamentally insecure due to its inability to reliably separate requests on a single connection. This leads to desync or “request smuggling” attacks, where an attacker can poison a server’s connection to achieve cache poisoning, session hijacking, and even full-site compromise.

He presented two new families of desync attacks that illustrate why the problem persists:

• Zero-Content-Length (CL) Desyncs: Previously considered impossible, these attacks are now feasible by finding an early response gadget on a server. For instance, requesting a reserved filename on an IIS server (e.g., /con) causes it to respond immediately without waiting for the request body. This breaks the connection deadlock that would normally occur, allowing an attacker to successfully perform a desync attack by hiding a Content-Length header from the front-end.
• Expect Header Desyncs: The Expect: 100-continue header adds complexity to request handling. By manipulating this header, attackers can provoke edge cases that lead to memory exposure, response queue corruption (delivering one user’s response to another), and denial-of-service conditions.

To highlight the real-world impact of this research, Kettle shared that it had resulted in slightly over $350,000 in bug bounties.

His core message was a call to action: to truly secure the web, organizations must stop using the HTTP/1.1 protocol for their upstream internal connections and migrate to modern protocols like HTTP/2 or HTTP/3, which eliminate this entire class of vulnerability by design.

7 Vulns in 7 Days: Breaking Bloatware Faster Than It’s Built by Leon Jacobs

Leon Jacobs, from Orange Cyber Defense Sense Post team, shared his week-long journey into discovering critical vulnerabilities in common bloatware applications.

The research began when Jacobs’ ASUS computer rebooted instantly after he clicked an “update driver” prompt from the ASUS DriverHub. He discovered a local web server running on his machine, serving a public website that performs JavaScript fetch requests to this local server, which then made Win32 API calls to reboot the computer. The CORS validation was vulnerable, only checking if asus.com it was a substring of the origin header, allowing any domain like asus.com.local to bypass it. The update function had a signature check that only verified the presence of a string (“Asus Tech Computer Inc”) in the PE file’s properties, which is trivial to forge. This led to a one-click RCE that could be escalated via an UAC manifest (requestedExecutionLevel="requireAdministrator") to achieve an UAC bypass.

Wondering if the ASUS vulnerability was part of a wider pattern of insecurity, Jacobs began testing other products and quickly found that this flawed design was common. His research revealed critical vulnerabilities in software from several other major hardware vendors:

• In MSI Center, he identified that a background service running with the highest privileges could be tricked into executing malicious code. An attacker could exploit a race condition, a small window of time between when the software checked a file’s signature and when it actually ran the file to swap a legitimate file with a malicious one, leading to a full system takeover.
• In Acer Control Center, he found an insecurely configured named pipe with global access allowed for remote code execution. An obscure integer argument in a function call could be flipped to change the process integrity level, turning the bug into a local privilege escalation.
• Finally, in Razer Synapse, he discovered that the software’s privileged “elevation service” could be directly controlled through a COM object. With a single line of code in PowerShell, he could command this service to run any program, again giving him complete control over the machine.

Towards the end of his talk, Leon Jacobs introduced Pipetab, a new open-source tool he’s developing to make it easier to analyze Windows named pipe communication, especially when multiple programs are interacting.

The (Un)Rightful Heir: My dMSA Is Your New Domain Admin by Yuval Gordon

Yuval Gordon closed the day by presenting “Bad Successor,” a vulnerability discovered in Windows Server’s 2025 new feature called Delegated Managed Service Accounts (DMSA). This feature was designed to securely migrate legacy service accounts by allowing a new dMSA to inherit the permissions of an old account. Gordon explained that this inheritance process relied on a link between the two accounts, but before the fix, the system only checked this link from one direction, trusting the new dMSA’s claim without verifying it with the powerful account it was supposedly replacing.

This one-sided trust created the vulnerability CVE-2025-53779. An attacker with minimal permissions could create their own dMSA, link it to a Domain Admin, and instantly gain full domain control. Additionally, the process leaked the domain administrator’s NTLM hash, turning the bug into a powerful credential dumping tool.

Microsoft’s patch addressed this by enforcing a mutual link verification, meaning both accounts now have to “agree” to the link. While this stops the initial privilege escalation attack, Gordon showed that the vulnerability wasn’t entirely eliminated. In its post-patch state, an attacker who already has written access to a target account can create the required mutual link. This transform “Bad Successor” from a privilege escalation tool into a stealthy credential dumping tool. It provides a powerful alternative to the traditional DC Sync method, as it uses far less suspicious network traffic, making it much harder for defenders to detect.