Latest Insights

RCE in PIXERA TWO Media Server (CVE-2026-7703, CVE-2026-7704)

The PIXERA TWO Media Server is an Audio-Visual (AV) solution widely adopted to create large-scale, high-quality visual experiences in live events, stage productions, and creative projects. PIXERA servers are typically deployed in internal or isolated networks as part of professional AV setups, where performance and stability are critical. The following advisory presents two (2) vulnerabilities…

3rd June 2026

Prioritizing Agentic Workflows Before Models: The Story Behind CVE-2026-34311

Everyone is obsessing over which model powers their security agent. Is it the largest? The most expensive? The one topping the benchmarks? We took a different bet. We ran with GLM-4.7 and uncovered CVE-2026-34311, a critical unauthenticated SSRF in Oracle OPERA PMS (again!). GLM-4.7 is certainly not the flashiest model on the market, but instead it strikes a balance…

1st June 20262nd June 2026

Supply Chain As the Perimeter

When the threat enters through the vendor, detection starts too late. Here is what we saw in the past twelve months — and what it demands from defenders. The perimeter is dead — and the supply chain buried it. Just over a month ago, we were invited by the Cyber Security and Technology Crime Bureau…

29th April 2026

Silver Fox’s Dual-Pronged Strategy: Dissecting the ValleyRAT Distribution Campaign

The Silver Fox APT group employs a sophisticated, hybrid distribution strategy to maximize the reach of their custom-built ValleyRAT trojan, primarily aimed at Chinese-speaking victims. Rather than relying on a singly infection method, the group employs a multi-medium strategy to achieve both precision and scale. On one front, Silver Fox executes highly targeted phishing operations,…

25th March 2026

When Hospitality Software is Too Hospitable: an XSS Filter Bypass and a Curious SSRF in Oracle Hospitality OPERA (CVE-2026-21966, CVE-2026-21967)

Last autumn, while a typhoon hammered against the hotel windows, our offensive specialist found themselves locked into a different kind of storm – a pentest that refused to stay routine. What began as a run-of-the-mill exercise quickly spiralled into yet another thrilling adventure of vulnerability disclosure. This writeup walks through DarkLab’s discovery of a Cross-Site…

13th February 202628th May 2026

Reverse Engineering a Siemens Programmable Logic Controller for Funs and Vulns (CVE-2024-54089, CVE-2024-54090, & CVE-2025-40757)

Under the sweltering heat of the Hong Kong summer, we entered a looming building and kicked off what was supposed to be a simple penetration test. Little did we know, this ordeal would lead to panic-stricken emails, extra reports, and a few new CVEs. This is a tale of the unexpected discovery of three CVEs…

12th September 202516th February 2026

Something went wrong. Please refresh the page and/or try again.

Dark Lab

Insights from Hong Kong's largest group of technical cyber security professionals.