Azure Dev Summit 2025 - Security Resources
A comprehensive collection of security resources for Azure Dev Summit 2025 talks
OWASP Top 10 2021 applied to CISA KEV catalog, plus modern .NET serialization attacks (2018-2025)
Deserialization Vulnerabilities
SharePoint (CVE-2025-53770)
CVEs:
- CVE-2025-53770 - ToolShell Deserialization (CVSS 9.8→10.0)
- CVE-2025-53771 - Authentication Bypass
- CVE-2025-49706 - Improper Authentication
- CVE-2025-49704 - Code Injection
- CVE-2024-38094 - Deserialization
- CVE-2023-29357 - Privilege Escalation
- CVE-2023-24955 - Code Injection
- CVE-2020-1147 - .NET Framework/SharePoint RCE
- CVE-2019-0604 - SharePoint RCE
KB Articles:
Resources:
- MSRC Blog - Customer Guidance
- Eye Security Research - SharePoint Under Siege
- CISA Alert
- Kaizen Security - PoC
Sitecore (CVE-2021-42237)
CVEs:
- CVE-2021-42237 - Report.ashx RCE (CVSS 9.8)
- CVE-2025-53690 - Sample Machine Keys
KB Articles:
Resources:
- Sitecore Documentation - CM/CD Servers
- Sitecore Documentation - Azure Topology
- Google Threat Intelligence - CVE-2025-53690
- Assetnote Advisory
- Assetnote Blog - Pre-Auth RCE
- Rapid7 Blog - Opportunistic Exploitation
- Rapid7 Metasploit Module
- Rapid7 Vulnerability Database
- eSentire MDR Detection
- BleepingComputer - Active Exploitation
- AttackerKB Assessment
Greenshot (CVE-2025-59050)
CVEs:
- CVE-2025-59050 - BinaryFormatter Deserialization (CVSS 8.4)
Resources:
- GitHub Security Advisory GHSA-8f7f-x7ww-xx5w
- Greenshot GitHub Repository
- Microsoft BinaryFormatter Security Guide
- GBHackers Security News
- CyberSecurityNews Coverage
- TheCyberExpress Analysis
- Tenable Nessus Plugin 265429
JSON DoS (CVE-2024-21907)
CVEs:
- CVE-2024-21907 - Deep Nesting DoS (CVSS 7.5)
Resources:
- GitHub Advisory GHSA-5crp-9r3c-p9vr
- Aleph Security ALEPH-2018004 - Original Research (2018)
- Newtonsoft.Json 13.0.1 Release - Fix Released March 22, 2021
- GitHub Issue #2457 - DoS via deeply nested JSON
- GitHub Issue #2459 - Stack overflow
- Microsoft KB5017192
- System.Text.Json MaxDepth
- JsonReaderOptions.MaxDepth
- Snyk Database Entry
- Wiz Vulnerability Database
- Vulert Database
- Docker Scout Advisory
Authentication & Identity
Entra ID Actor Tokens (CVE-2025-55241)
CVEs:
- CVE-2025-55241 - Actor Token Cross-Tenant (CVSS 10.0)
Resources:
- Dirk-jan Mollema Research
- Microsoft Learn - OAuth 2.0 On-Behalf-Of Flow
- Microsoft Learn - Graph API Overview
- MSRC Advisory
- RFC 7519 - JSON Web Token (JWT)
- RFC 8693 - OAuth 2.0 Token Exchange
- NIST SP 800-144 - Cloud Security Guidelines
Supply Chain
NuGet Supply Chain
CVEs:
- CVE-2024-43498 - .NET Remote Code Execution
- CVE-2024-0057 - .NET Security Feature Bypass
- CVE-2023-45853 - zlib minizip
- CVE-2023-38831 - WinRAR
- CVE-2023-36049 - .NET Elevation of Privilege
- CVE-2022-37434 - zlib Buffer Overflow
- CVE-2021-3331 - WinSCP
Resources:
- NuGet.org Package Statistics
- NuGet Security Advisories
- NuGet Audit Documentation
- NuGet Package Signing
- Announcing NuGet 6.8
- Package Signing Requirements
- Azure Artifacts Documentation
- Microsoft - Dependency Confusion Mitigation
- Alex Birsan - Dependency Confusion Research
- WinSCP Security Advisory
- WinSCP 5.17.10 Release Notes
- WinSCP GitHub Patch
- NIST SSDF - Secure Software Development Framework
- SLSA - Supply-chain Levels for Software Artifacts
- NIST SP 800-204C - DevSecOps for Cloud
Additional .NET KEV CVEs (2021-2025)
Exchange, VMware, F5, Ivanti, Skype, Samsung, Adminer, and others
2025:
- CVE-2025-29813 - Azure DevOps Server
- CVE-2025-24984 - Windows NTFS
- CVE-2025-3928 - Commvault Web Server
2024:
- CVE-2024-21893 - Ivanti Connect Secure
2023:
- CVE-2023-41763 - Skype for Business SSRF
- CVE-2023-21492 - Samsung Kernel
2022:
- CVE-2022-41082 - ProxyNotShell
- CVE-2022-41040 - ProxyNotShell SSRF
2021:
- CVE-2021-42321 - Exchange RCE
- CVE-2021-40438 - Apache HTTP Server
- CVE-2021-34473 - ProxyShell
- CVE-2021-27103 - Accellion FTA
- CVE-2021-26857 - ProxyLogon
- CVE-2021-26855 - ProxyLogon SSRF
- CVE-2021-22986 - F5 BIG-IP
- CVE-2021-21985 - VMware vCenter
- CVE-2021-21975 - VMware vRealize
- CVE-2021-21973 - VMware vCenter
- CVE-2021-21311 - Adminer
General Resources
OWASP:
- Top 10:2021
- Deserialization Cheat Sheet
- SAMM (Software Assurance Maturity Model)
- ASVS (Application Security Verification Standard)
- Cheat Sheets
NIST:
MITRE:
Microsoft Security:
- BinaryFormatter Security Guide
- 365 Defender Hunting Queries (GitHub)
- Azure Security Baseline
- Graph Migration Guide
Detection:
Reports:
Tools:
- ysoserial.net - .NET Deserialization Tool
- Google Project Zero - .NET Serialization Security
- BlackHat USA 2017 - Friday the 13th JSON Attacks (PDF)
- BlackHat USA 2017 - Friday the 13th JSON Attacks (Video)