gengstah

gengstah

Exploring the spaces between specs — where weird machines live and exploits are born

Blog posts

2026

Router-side ARP defenses don’t catch what they don’t see

18 minute read

Published:

For a long time the standard answer to ARP poisoning on the LAN has been “use Dynamic ARP Inspection.” Cisco DAI checks every ARP frame against the DHCP-snooping binding table; offending frames get dropped at the switchport. On more capable APs and home routers there are equivalents: DHCP-snooping ARP filtering, IP-MAC binding, ebtables/arptables on br-lan, MikroTik’s arp=reply-only, Ubiquiti’s “ARP cache poisoning protection”. Every one of them works the same way at heart: catch the malicious ARP as it crosses the bridge.

2025

December 2025 Patch Tuesday

4 minute read

Published:

CVE-2025-62221 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

A Windows Cloud Files Mini Filter Driver (cldflt.sys) bug (CVE-2025-62221) is being actively exploited this month and has been patched in this month’s Patch Tuesday. In October, there was a TOCTOU bug (CVE-2025-55680) patched in the same driver. This time around, the bug is a Use-after-Free (UaF). I looked at the patch made to the driver and shared my findings in this blog.

Joined the OSEE club

2 minute read

Published:

Joined the OSEE club

For the past few months, I have been juggling work and studying for the OSEE exam. Today, I finally got an email from OffSec saying that I passed 🎉

November 2025 Patch Tuesday - CLFS

4 minute read

Published:

Patch Diffing

Patch diffing is the process of generating a diff or the difference or changes made to a file or software as a whole, by comparing the bytes of an old and new version of the same file. This process is used by attackers and defenders alike to find out what changes are made in the software in question. In cybersecurity, more often than not, this process is used to find out what flaw/s the new version of the software patched.