Black Hat USA 2025

August 2-7, 2025 · Las Vegas, NV · 93 talks

The world's leading information security event. Briefings, trainings, and the Arsenal — where cutting-edge research meets enterprise security practice.

→ See editor’s top picks at Black Hat USA 2025

• AI Agents for Offsec with Zero False Positives

  AI agents used naively for offensive security produce an overwhelming number of false positives — a problem that compounds catastrophically at scale due to the base rate fallacy. Brendan…

• Protecting Small Organizations in the Era of AI Bots

  More than 51% of internet traffic is now non-human, and AI crawler bots are silently overwhelming small nonprofits and organizations that cannot afford enterprise security tools. A researcher from…

• Kernel-Enforced DNS Exfiltration Security

  DNS remains the preferred command-and-control channel for 85% of advanced persistent threats because it bypasses firewalls, evades passive detection, and traverses nearly every network. Vedang…

• Burning, Trashing, Spacecraft Crashing: A Collection of Vulnerabilities That Will End Your Space Mission

  Researchers from Vision Space demonstrated live exploits against three open-source mission control systems and NASA's Core Flight System, proving that software vulnerabilities — not kinetic weapons…

• Universal and Context-Independent Triggers for Precise Control of LLM Outputs

  Researchers from Tencent Xuanwu Lab developed "universal adversarial triggers" — short, model-specific token sequences that, when injected into any prompt, force an LLM to output exactly what an…

• Decoding Signal: Understanding the Real Privacy Guarantees of E2EE

  A 15-year veteran security engineer conducted a comprehensive, collaborative security review of Signal — one of the few messaging applications that fully implements encrypted profiles, the double…

• Ghost Calls: Abusing Web Conferencing for Covert Command & Control

  Adam Crosser of Praetorian built a covert command-and-control (C2) channel that routes traffic through the TURN relay infrastructure of Microsoft Teams and Zoom, making attacker traffic appear as…

• Practical Attacks on Nostr, a Decentralized Censorship-Resistant Protocol

  Researchers from NICT and collaborating institutions conducted the first full security analysis of Nostr — a decentralized, cryptography-based social networking protocol with over 1.1 million user…

• Uncovering and Responding to the tj-actions Supply Chain Breach

  On March 14, 2025, Step Security's automated detection system identified that the widely-used `tj-actions/changed-files` GitHub Action had been compromised via a chained supply chain attack…

• Dark Corners: How a Failed Patch Left VMware ESXi VM Escapes Open for Two Years

  Researchers from ANK Group Security Lab discovered that CVE-2021-22050, a VMware ESXi XHCI USB controller vulnerability first disclosed in 2021, was never correctly patched. By exploiting the same…

• More Flows, More Bugs: Empowering SAST with LLMs and Customized DFA

  Researchers at Tencent Security Wind Ding Lab have built a pipeline that uses large language models to automatically identify missing source and sink functions in CodeQL, then extends the tool's…

• Evaluating Autonomous Vehicle Resilience

  Zoox's product security team applied fuzzing techniques borrowed from software security to the teleoperation system of their autonomous robotaxi fleet. By generating over 50,000 mutated driving…

• Windows Hell No for Business

  Researchers contracted by Germany's Federal Office for IT Security (BSI) conducted an in-depth security analysis of Windows Hello for Business and demonstrated that a local administrator can decrypt…

• Use and Abuse of Personal Information -- Politics Edition

  Virginia Tech researchers created 1,400 fake identities and enrolled them with candidates across the 2024 U.S. election cycle — from primary through six months post-election — to systematically…

• Smart Charging, Smarter Hackers: The Unseen Risks of ISO 15118

  ISO 15118 — the international standard governing communication between electric vehicles and charging stations — meaningfully improves EV charging security by replacing skimmable RFID cards with…

• HTTP/1.1 Must Die! The Desync Endgame

  James Kettle presents his fourth year of HTTP desync research and arrives at a stark conclusion: the industry has patched detection methods and scanning tools while leaving the actual vulnerability…

• Dead Pixel Detected: A Security Assessment of Apple's Graphics Subsystem

  Yu Wang's systematic audit of Apple's graphics subsystem uncovered kernel vulnerabilities across every layer of the stack — from legacy Intel and AMD GPU plug-in extensions to Apple Silicon's AGX…

• Peril at the Plug: Investigating EV Charger Security and Safety Failures

  Researchers from Trend Micro's Zero Day Initiative demonstrated that software vulnerabilities in consumer EV chargers — including bugs exposed at Pwn2Own 2024 and 2025 — can be leveraged to push…

• Racing for Privilege

  Researchers from COMSEC at ETH Zurich discovered a microarchitectural race condition in Intel processors that undermines both Enhanced Indirect Branch Restricted Speculation (eIBRS) and the Indirect…

• Hackers Dropping Mid-Heist Selfies

  Researchers built a two-layer LLM pipeline to analyze over 15 million screenshots automatically captured by information-stealer malware at the moment of infection. By applying analyst intuition as…

• Unix Underworld: Tales from the Dark Side of z/OS

  Mainframes running IBM z/OS expose a Unix System Services (USS) subsystem that security teams already know how to attack — using the same enumeration scripts, privilege escalation patterns, and…

• Booting into Breaches: Hunting Windows SecureBoot's Remote Attack Surfaces

  Andrew Yang of CyberKunlun submitted 55 vulnerability reports to MSRC, accounting for nearly 60% of all Windows Secure Boot Security Feature Bypass CVEs issued in the past decade. What makes his…

• I'm in Your Logs Now, Deceiving Your Analysts and Blinding Your EDR

  Olaf Hartong of Falcon Force demonstrated that the Event Tracing for Windows (ETW) subsystem — which Microsoft Defender for Endpoint, CrowdStrike, and other major EDRs rely on for telemetry — can be…

• Analyzing Smart Farming Automation Systems for Fun and Profit

  Two OT penetration testers discovered catastrophic vulnerabilities in FJDynamics smart tractor automation systems — sold in Europe under the FJDynamics and SVIAGRO brands — that allowed them to…

• BitUnlocker: Leveraging Windows Recovery to Extract BitLocker Secrets

  Microsoft's own offensive security team discovered four vulnerabilities in the Windows Recovery Environment (WinRE) that allow a physical attacker to bypass BitLocker and access all encrypted data…

• ECS-cape: Hijacking IAM Privileges in Amazon ECS

  Security researcher Naor Aziz discovered that any container running inside an Amazon ECS EC2 cluster can impersonate the ECS agent — the control plane bridge running on every container instance —…

• Shade BIOS: Unleashing the Full Stealth of UEFI Malware

  Kazuki Matsuo of FFR Security introduced ShadeBIOS, a research framework that retains UEFI BIOS in memory after the operating system boots and repurposes UEFI's own memory management, device…

• Ransomware, Tracking, DoS, and Data Leaks on Xiaomi Electric Scooters

  Researchers from EURECOM and KTH demonstrated five novel attacks on Xiaomi electric scooters (Mi 3 and M365 models) using a technique called eTrojans: by flashing unsigned, unencrypted firmware over…

• No Hoodies Here: Organized Crime in AdTech

  Infoblox researchers unmasked Vextrio — the internet's most prolific malicious traffic distribution network — as a multi-year organized crime operation run by Italian and Eastern European principals…

• Weaponization of Cellular Based IoT Technology

  Researchers Darrell Hyland and Carlotta Biendner spent two and a half years developing methods to hijack the cellular modules embedded in IoT devices — without touching the cellular network itself…

• China's 5+ Year Campaign to Penetrate Perimeter Network Defenses

  Over five years, Chinese state-linked threat actors mounted a sustained, evolving campaign against Sophos XG firewalls — and by extension, every major network perimeter device. Sophos responded by…

• Clue-Driven Reverse Engineering by LLM in Real-World Malware Analysis

  CyCraft's research team developed Celebi (also referred to as CelerBS), an LLM-driven automated malware reverse engineering system that detects hallucinations before they propagate by monitoring…

• Hack to the Future: Owning AI-Powered Tools with Old School Vulns

  Kudelski Security's research team audited over a dozen AI-powered developer tools — code review agents, data analytics assistants, and AI coding agents — and found vulnerabilities in every single…

• How to Secure Unique Ecosystem Shipping 1 Billion+ Cores?

  NVIDIA is shipping over one billion RISC-V cores across its GPU, SoC, and data center product lines, having replaced its proprietary Falcon architecture with a custom RISC-V implementation called…

• Breaking Control Flow Integrity by Abusing Modern C++

  C++20 coroutines — a language feature for suspendable, resumable functions used in async programming — create a class of heap-allocated objects with function pointers stored in writable memory…

• Vulnerability Haruspicy: Picking Out Risk Signals from Scoring System Entrails

  RunZero researcher Todd Carroll walks through CVSS, EPSS, and SSVC — the three dominant vulnerability scoring and prioritization systems — exposing what each actually measures, where each breaks…

• Advanced Bypass Techniques and a Novel Detection Approach

  Static model scanners used to vet AI models from repositories like Hugging Face are fundamentally unable to catch malicious code embedded in model files, because the problem of exhaustively…

• How Tree-of-AST Redefines the Boundaries of Dataflow Analysis

  Two researchers — one a recent high school graduate, the other a sixteen-year-old founder — developed Tree-of-AST, an LLM-powered dataflow analysis engine that applies Tree-of-Thoughts reasoning to…

• Digital Dominoes: Scanning the Internet to Expose Systemic Cyber Risk

  Morgan Hervé-Minucci of Coalition, one of North America's largest cyber insurers, argues that the current generation of catastrophe models used to quantify systemic cyber risk are structurally…

• Detecting Taint-Style Vulnerabilities in Microservice-Structured Web Apps

  Fengyu Liu and Yukun Xu of Fudan University and Hong Kong Polytechnic University present MScan, a taint analysis framework that tracks vulnerability data flows across service boundaries in…

• Death by Noise: Abusing Alert Fatigue to Bypass the SOC (EDR Edition)

  Researchers from Comminate demonstrated that attackers can deliberately suppress or downgrade EDR alerts — not by defeating detection engines, but by exploiting SOC teams' tendency to ignore or…

• LLMs-Driven Automated YARA Rules Generation with Explainable File Features & DNAHash

  Researchers from Alibaba Cloud Security introduced LMD-YARA, a four-stage framework that uses large language models (LLMs) and a novel binary hashing feature called DNAHash to automatically generate…

• Invoking Gemini for Workspace Agents with a Simple Google Calendar Invite

  Researchers from SafeBreach and the Technion demonstrated 14 distinct attacks against Google's Gemini AI assistant using nothing but a malicious Google Calendar invitation. By embedding indirect…

• Reinventing Agentic AI Security With Architectural Controls

  David Brockler III of NCC Group argues that AI systems are being secured the same way the early web was secured — with heuristic guardrails as the primary defense — and that this guarantees the same…

• Use and Abuse of Palo Alto's Remote Access Solution

  Security researcher Alex uncovered multiple vulnerabilities in Palo Alto's GlobalProtect VPN client on macOS and Linux — including DNS-spoofing-based tunnel bypasses, forged IPC message attacks, and…

• Turning Camera Surveillance on its Axis

  Claroty Team82 researcher Noam Moshe discovered a pre-authentication remote code execution vulnerability chain in Axis Communications' camera management software — Axis Camera Station and Axis…

• Uncovering Threats and Exposing Vulnerabilities in Next-Gen Cellular RAN

  Penn State University researchers Tianchang and Kai discovered 26 vulnerabilities — 22 of which received CVE assignments — across leading open-source and commercial Open RAN (O-RAN) implementations…

• Training Specialist Models: Automating Malware Development

  Outflank researcher Kyle trained a custom 7-billion-parameter LLM called Dante — built on Qwen 2.5 Coder and fine-tuned via supervised fine-tuning plus Reinforcement Learning with Verifiable Rewards…

• Lost & Found: The Hidden Risks of Account Recovery in a Passwordless Future

  Researchers from Aalto University audited account recovery flows across the most widely used websites using a structured framework called Artha, discovering that recovery mechanisms — intended as a…

• Breaking Chains: Hacking Android Key Attestation

  Android Key Attestation, intended to guarantee that cryptographic keys live inside tamper-resistant hardware, contains a cluster of PKI implementation flaws — many rooted in a Google-vended…

• Pwning User Phishing Training Through Scientific Lure Crafting

  A randomized controlled trial across 19,000+ hospital employees found that simulated phishing training delivered via off-the-shelf products produced only a 1.7% aggregate reduction in click rates —…

• Uncovering NASty 5G Baseband Vulnerabilities through Dependency-Aware Fuzzing

  Researchers from Penn State built LOTUS, a dependency-aware fuzzing framework for 5G baseband processors, and used it to discover seven unique exploitable vulnerabilities — including one critical…

• If Google Uses It to Find Webpages, We Can Use It to Find Fraudsters

  David Geer and Ido Ganor demonstrate that TF-IDF — the same text-frequency algorithm that underpinned early web search — can be applied to device and behavioral fingerprints to detect fraud at scale…

• Let LLM Learn: When Your Static Analyzer Actually Gets It

  Existing SAST tools like CodeQL deliberately over-restrict their rules to minimize false positives, inadvertently suppressing real vulnerabilities before any LLM ever sees them. This research…

• Wormable Zero-Click RCE in AirPlay Impacts Billions of Apple and IoT Devices

  "Airborne" is a collection of 23 vulnerabilities — 17 assigned CVEs — in Apple's AirPlay protocol and the AirPlay SDK used by third-party IoT device manufacturers. The research produced the…

• Watching the Watchers: Exploring and Testing Defenses of Anti-Cheat Systems

  Anti-cheat systems for modern first-person shooters like Valorant and Rainbow Six Siege have independently developed Windows kernel defenses — PatchGuard bypass, memory invisibility cloaks, rogue…

• The First 30 Months of Psychological Manipulation of Humans by AI

  Nearly every prediction made by this research team at Black Hat USA 2023 about AI-enabled psychological manipulation came true — faster than anticipated. In the 30 months since, LLMs have been…

• Conjuring Hardware Failures to Breach CPU Privilege Boundaries

  Christopher Domas demonstrates MCEhammer, a novel exploitation technique that generates on-demand Machine Check Exceptions (MCEs) entirely from software, then uses them to interrupt AMD CPUs during…

• From Slide Rules to GenAI (Keynote)

  Chris Inglis — former Deputy Director of the NSA and the nation's first National Cyber Director — argues that cyberspace's persistent insecurity is not a technical problem but a strategic one…

• Enhancing Command Line Classification with Benign Anomalous Data

  Sophos data scientists Ben Gelman and Sean Bruzman show that anomaly detection — long dismissed as too noisy for production security use — excels at finding one specific thing: rare benign commands…

• FACADE: High-Precision Insider Threat Detection Using Contrastive Learning

  Google's FACADE system uses contrastive learning to score every user-resource access event across billions of activities per year, achieving detection of red team attackers within the top 0.01% most…

• Breaking Out of The AI Cage: Pwning AI Providers with NVIDIA Vulnerabilities

  Wiz Research discovered a critical TOCTOU (time-of-check time-of-use) vulnerability in NVIDIA Container Toolkit that allows a malicious container image to mount the host filesystem — effectively…

• Autonomous Timeline Analysis and Threat Hunting: An AI Agent for Timesketch

  Google engineers Maarten van Dantzig and Alex present SecGemini, an AI agent that autonomously performs digital forensics and incident response across hundreds of millions of log records — finding…

• AI Enterprise Compromise: 0-Click Exploit Methods

  Zenity CTO Michael Bargury and co-presenter Tamir demonstrate zero-click prompt injection attacks against enterprise AI agents across Microsoft Copilot Studio, Salesforce Agentforce (Einstein)…

• Vaulted Severance: Your Secrets Are Now Outies

  Researchers from Sayata disclosed nine CVEs in HashiCorp Vault and five CVEs in CyberArk Conjur, including the first-ever remote code execution reported against Vault and a pre-authentication RCE in…

• A Fireside Chat with Cognitive Scientist and AI Expert Gary Marcus

  Cognitive scientist and AI critic Gary Marcus argued at Black Hat 2025 that generative AI's limitations — unreliable reasoning, conceptual shallowness, and susceptibility to jailbreaks — make…

• Hacking the Status Quo: Tales From Leading Women in Cybersecurity

  A panel of leading women on the Black Hat review board shared candid accounts of non-linear career paths, imposter syndrome, persistent workplace double standards, and practical strategies for…

• Exploiting DNS for Stealthy User Tracking

  Researchers from Bitdefender demonstrated that DNS request patterns generated by smartphones are distinctive enough to fingerprint and track individual devices across network contexts with over 95%…

• From Prompts to Pwns: Exploiting and Securing AI Agents

  NVIDIA's AI Red Team demonstrated live prompt injection attacks against Microsoft Copilot, PandasAI (CVE disclosed), and Cursor IDE — including exploits that achieved remote code execution via a…

• Locknote: Conclusions & Key Takeaways from Black Hat USA 2025

  The Black Hat USA 2025 Locknote brought together review board veterans to synthesize the conference's central themes: the uncertain but broadly net-positive role of AI in both offense and defense…

• Advanced Active Directory to Entra ID Lateral Movement Techniques

  Dirk-Jan Mollema of Outsider Security demonstrated that Exchange Hybrid deployments create a hidden, high-privilege attack path from on-premises Active Directory to full Microsoft 365 tenant…

• Chronicles of Counter-Intelligence from the Citizen Lab (Keynote)

  Ron Deibert, founder of the Citizen Lab at the University of Toronto, delivered a sweeping account of 25 years investigating mercenary spyware, state surveillance, and the growing intersection of…

• Securing America: Readiness, Response, and Resilience for Critical Infrastructure Defense

  Despite budget cuts, voluntary departures, and intense public scrutiny, CISA's operational leadership insists the agency is accelerating — not retreating. In a frank Black Hat keynote, Acting…

• Keynote: Threat Modeling and Constitutional Law

  Jennifer Granick, the ACLU's Surveillance and Cybersecurity Counsel, challenged Black Hat attendees to expand their threat models beyond criminals and include government surveillance as a genuine…

• Leveraging Jamf for Red Teaming in Enterprise Environments

  SpecterOps researchers Lance Kane and Dan Mayer revealed that Jamf Pro — the dominant mobile device management platform in enterprise macOS environments — can be systematically abused for privilege…

• LLM-Driven Reasoning for Automated Vulnerability Discovery Behind Hall-of-Fame

  Cheng Dai and undergraduate collaborator Yifei built MinWhisper, an LLM-based pipeline that autonomously finds vulnerabilities in Samsung phones by decompiling stripped ARM64 binaries…

• 2 Cops 2 Broadcasting: TETRA End-To-End Under Scrutiny

  Midnight Blue — the team behind the landmark TETRA:BURST disclosures in 2023 — returned to Black Hat with a follow-up that dismantles the mitigations deployed in response to their original research…

• Abusing Entra OAuth for Fun and Access to Internal Microsoft Applications

  Wouter Bernard discovered a widespread misconfiguration in Microsoft Entra ID where applications are unintentionally registered as multi-tenant, allowing any external Microsoft account holder to…

• Cross-Origin Web Attacks via HTTP/2 Server Push and Signed HTTP Exchange

  Researchers from Tsinghua University discovered that HTTP/2 and HTTP/3 use a broader, certificate-based ("SAN-based") definition of origin that is more permissive than the URI-based same-origin…

• Unmasking Supply Chain Attacks via Application Behaviour

  Researchers at Netskope Threat Labs spent two years building BEAM (Behavioral Evaluation of Application Metrics), an open-source tool that profiles the network behavior of native desktop…

• XUnprotect: Reverse Engineering macOS XProtect Remediator

  Ko, a macOS security researcher at Prescotte Fedora Security, performed a deep reverse engineering of XProtect Remediator (XPR), Apple's third-layer malware defense. The research reveals XPR's…

• Weaponizing Apple AI for Offensive Operations

  A lead red teamer at CVS Health demonstrated how Apple's native AI frameworks — CoreML, Vision, and AVFoundation — can be weaponized for C2 operations, payload staging, and evasion. None of the…

• No VPN Needed? Cryptographic Attacks Against the OPC UA Protocol

  Tom Tervoort of Bureau Veritas Cybersecurity found two cryptographic vulnerabilities in the OPC UA industrial protocol that allow an attacker to bypass device authentication without knowing any…

• Lost in Translation: Exploiting Unicode Normalization

  John Barnett and his daughter Isabella ("Angel Hacker"), a cybersecurity engineering student, present a systematic taxonomy of Unicode normalization vulnerabilities that let attackers bypass…

• New Red Team Networking Techniques for Initial Access and Evasion

  Su Hao Tung of Trend Micro demonstrates how attackers can exploit IP spoofing, stateless tunneling protocols (GRE, VXLAN), and misconfigured routing protocols (OSPF) to gain initial access to…

• Unveiling Hidden Preauth Vulnerabilities in Windows HTTP Services

  Researchers from CyberKoolun at Huazhong University of Science and Technology systematically mapped the Windows HTTP API service framework and uncovered a class of pre-authentication vulnerabilities…

• Derandomizing the Location of Security-Critical Kernel Objects in the Linux Kernel

  Researchers Lukas Maar and Lukas Giner from Graz University of Technology present a TLB timing side-channel attack that defeats KASLR (Kernel Address Space Layout Randomization) by revealing the…

• Clustered Points of Failure: Attacking Windows Server Failover Clusters

  Windows Server Failover Clustering (WSFC) introduces hidden Active Directory machine accounts — Cluster Name Objects (CNOs) and Virtual Cluster Objects (VCOs) — that share password material across…

• Unveiling the Hidden Perils of the TorchScript Engine in PyTorch

  PyTorch's `weights_only=True` parameter — the standard fix for `pickle`-based RCE in ML model loading — does not actually prevent code execution when loading TorchScript (`.pt`) files, because the…

• QUACK: Hindering Deserialization Attacks via Static Duck Typing

  Researchers from Brown and Columbia universities present QUACK, a static program analysis tool that automatically infers which PHP classes a developer intended to allow through `unserialize()` calls…

• How KCFG and KCET Redefine Control Flow Integrity in the Windows Kernel

  Conor McGarr of Prelude delivers a deep technical analysis of Kernel Control Flow Guard (KCFG) and Kernel Control Flow Enforcement Technology (KCET) — Microsoft's kernel-mode implementations of…

• Nicole Perlroth Keynote: The New Frontline: Cyber on the Precipice

  Nicole Perlroth, the former New York Times cybersecurity correspondent and author of *This Is How They Tell Me the World Ends*, delivered a sweeping keynote tracing cybersecurity's escalating threat…

• Mikko Hypponen Keynote: Three Decades in Cybersecurity

  Mikko Hypponen, one of the most recognized figures in cybersecurity, used his Black Hat 2025 keynote as both a historical retrospective and a farewell address — announcing his departure from the…