Training

Vulnerability Research and Exploitation on Edge Devices: Memory Corruption Edition

trainer

Marco Ortisi

Security Researcher


Abstract

Attacks targeting edge devices are steadily increasing. Because these systems are intentionally exposed to the internet, they often serve as easily identifiable entry points for attackers. Edge devices span a broad range of technologies (including VPN servers, firewalls, load balancers, routers, and email gateways) which makes them highly attractive targets for both cybercriminals and nation-state actors seeking initial access to enterprise environments. Bug bounty programs are also placing growing emphasis on vulnerabilities in these systems.

In hands-on training, participants will walk through the complete process of vulnerability research and exploitation on a real-world embedded edge device commonly deployed within Fortune 500 environments. Starting from restrictive shells and locked-down filesystems, participants will progress through fuzzing, crash triage, and root-cause analysis, and ultimately weaponize memory-corruption bugs to achieve remote code execution.

The course focuses heavily on practical exploitation workflows: jailbreak techniques for analysis, bypassing vendor-specific protections, adapting fuzzers to embedded attack surfaces, and converting “unexploitable” crashes into reliable exploitation primitives. By the end of the training, participants will have both the methodology and practical skills needed to independently discover and exploit vulnerabilities in edge devices.

Comprehensive Curriculum Outline

KEY LEARNING OBJECTIVES

  • Examination of real-world use cases and vulnerability discovery through fuzzing sessions, reflecting how the bugs were originally uncovered in practice.
  • Five total case studies, three of which involve unpublished vulnerabilities.
  • Weaponization of the identified vulnerabilities.
  • No vulnerabilities are presented in administrative management consoles, as these are less relevant as case studies and often not directly exposed online.
  • All selected vulnerable components are internet-facing and tied to the user-accessible interface of the target platform—components that, by design, must be reachable from the internet.
  • Advanced debugging techniques.

Jailbreak & Environment Setup

  • Gaining control of the targeted device
  • Root filesystem extraction
  • Jailbreak strategies to escape restrictive shells
  • Persistent backdooring techniques
  • Unlocking read-only filesystems for analysis and modification
  • Leveraging vendor libraries and APIs to perform meaningful system operations
  • Case Study 1: CVE-2025-0282 — Analysis & Weaponization
  • Case Study 2: CVE-2025-22457 — Analysis & Weaponization

Attack Surface Mapping & Fuzzing

  • Identification of exposed components
  • Preparing the environment for fuzzing and crash analysis
  • Fuzzing self-contained C/C++ libraries for isolated crash discovery
  • Extending fuzzing over the network and triaging remote crashes
  • Case Study 3: CVE-2022-35258

Crash Analysis & Exploit Development

  • Refining fuzzers to improve coverage and trigger deeper bugs
  • Case Study 4: CVE-2022-35254
  • Case Study 5 Part 1: CVE-2025-XXXXX (0-day currently under coordination and pending fix)
  • Turning the “unexploitable” into exploitable
  • Methodology for pivoting from benign reads to dangerous writes
  • Exploitation workflows tailored to embedded system constraints
  • Overcoming practical challenges to achieve remote code execution: consolidated overview

Hands-On Lab Requirements

  • Students should have access to a computer with 8 GB RAM (16 GB suggested) and at least 40 GB free disk space.
  • Students should install a disassembler of their choice (e.g., IDA or Ghidra), the web proxy Burp Community Edition as well as a virtualization software (VMware Workstation Pro advised).
  • 2 VMs will be used for the lab:
    • the attacker machine (Ubuntu, with gdb and pwndbg installed)
    • the victim (the SSL VPN product that will be attacked)
Laptops with Apple Silicon are NOT supported in this class. Please ensure that your laptop has an Intel or equivalent x86-64 processor.

Trainer Info

trainer

Marco Ortisi has been working in IT security professionally since 1999. After several roles in Italy and abroad as a penetration tester, vulnerability researcher, team leader, and eventually red team manager, he went through a midlife crisis that led him to return to vulnerability research and analysis (especially 0days). He rediscovered the joy of reporting to no one but himself. Marco is a former speaker and trainer at TyphoonCon, RingZer0, BlackHat, BruCON, HackInBo, BlackAlps and many other conferences.

Organizer

Organizer Logo

Partner Company

Partner Company Logo

Sponsors

POC Conference is made possible thanks to the support of our sponsors. Their continued partnership has played a vital role in sustaining and growing POC over the years. We sincerely thank them for their contribution.


TBA

Sponsorship Kit is not ready yet. Please check back later.

card-img

Become a Sponsor

Join leading offensive security companies from around the world in supporting POC Conference. Connect with a highly engaged technical audience and shape the future of security research. We’re excited to learn more about you and would be happy to share our sponsorship kit. Contact us to explore sponsorship opportunities.

Supporting Friends

  • 0x41con
  • codeblue
  • kunlun
  • dailysecu
  • ekoparty
  • h2hc
  • hardweario
  • hexacon
  • hitcon
  • nopcon
  • nullcon
  • offensivecon
  • phdays
  • sincon
  • theori
  • xcon
  • zeronights