Day: ?? . Time: ?? SGT
TBA
Dr. Edward PengHuazhong University of Science and Technology (HUST)
0x00//PROGRAMME — TALK BOARD
The Line-Up
// one single track.
More talks to come. Reviewed by a peer-review board of practising researchers. Click any talk for details — share the link with a colleague.
Day: ?? . Time: ?? SGT
The Chaos Phase or How I Learned to Stop Worrying and Love Offensive AI
Nico WaismanXBOW
Day: ?? . Time: ?? SGT
I Let A.I. Loose on Google. It Found RCE. Twice.
Arvin ShivramBrutecat Security Pte Ltd
Day: ?? . Time: ?? SGT
From CloseHandle to Code Execution: Exploiting an arbitrary handle close vulnerability for EOP
Arjun VasudevaMicrosoft
Day: ?? . Time: ?? SGT
Chaining Logical Bugs for Reliable Windows LPE
Bocheng Xiang , HeeChan KimFudan University · Soongsil University
Chaining Logical Bugs for Reliable Windows LPE
// Abstract
Modern Windows mitigations have significantly hindered memory corruption exploitation, but reliable Local Privilege Escalation can still emerge from a quieter class of issues: logical bugs in privileged components.
This talk takes a primitive-oriented view of exploiting Windows logical bugs. Instead of treating each vulnerability as an isolated bug, we model it as a weak but composable privileged primitive over processes, files, registry objects, and service state.
We first cover user-mode logical bugs. We disclose a wont-fix Windows Error Reporting Service issue, ZDI-24-1098, which provides an attacker-controlled arbitrary process termination primitive. Although limited on its own, this primitive can be chained with privileged service behavior to build stable exploitation paths, including CVE-2025-55692, CVE-2024-49107, and CVE-2024-30033.
We then move to kernel-mode logical bugs and publicly present two bug classes in csc.sys and storvsp, including CVE-2025-60705, CVE-2025-64673, and CVE-2025-59516. These issues arise from incorrect trust propagation, object ownership, and privileged state manipulation rather than memory corruption, yet they can still be weaponized into reliable SYSTEM LPE chains
By sharing these cases, we hope to draw more attention to Windows logical bugs as a durable and underexplored LPE attack surface. More broadly, we aim to encourage future research that looks beyond individual vulnerabilities and studies how weak primitives across services, drivers can be discovered and composed.
// Speakers
Bocheng Xiang
Fudan University
Bocheng Xiang (@crispr_x) is an offensive security researcher and PhD candidate at Fudan University. His work focuses on uncovering high-impact Windows vulnerabilities and exploitation primitives rooted in file system semantics and OS design flaws. He is an MSRC MVR (2024/2025) and ranked Top 20 on the MSRC 2024 Q3 Windows Leaderboard. He has published at USENIX Security, CCS, and NDSS, with accepted talks at PoC 2025, Re//verse 2026, and Black Hat USA/Europe.
HeeChan Kim
Soongsil University
HeeChan Kim is a security researcher and a student at Soongsil University, specializing in Windows OS internals and Local Privilege Escalation (LPE). As a winner of the DEF CON 33 CTF with team MMM and a member of TeamH4C, he actively hunts for zero-days and persistent logical flaws within complex OS architectures. He has previously presented his Windows LPE research at POC and RE//verse.