Cybersecurity professional with ~10 years of experience across IT engineering, vulnerability management, threat intelligence, threat detection and incident response.
In my free time, I hunt for zero-day software vulnerabilities and participate in bug bounty programs.
I was a GrrCON 2025 main stage speaker on independent vulnerability research, presenting on how I discovered my first CVE.
-
π― CVE-2025-29471 β Authenticated Stored XSS + Privilege Escalation in Nagios Log Server π₯PoC Code |
βΆοΈ PoC Demo | π° Featured -
𧨠CVE-2025-44824 β Authenticated Broken Access Control in Nagios Log Server π₯PoC Code |
βΆοΈ PoC Demo | π° Featured -
π CVE-2025-44823 β Authenticated API Key Exposure in Nagios Log Server π₯PoC Code |
βΆοΈ PoC Demo | π° Featured -
β‘CVE-2025-53392 β Authenticated Arbitrary File Read in pfSense 2.8.0 via Diagnostics Web Interface π₯PoC Code
-
π₯ CVE-2025-54138 β Authenticated Remote File Inclusion in LibreNMS 25.6.0 via
ajax_form.phpπ₯PoC Code
-
π΅οΈ API Security β Discovered an unauthenticated IDOR vulnerability in a production API, allowing for the enumeration of over 300 active insurance policies.
-
ποΈ Vulnerability Research β Reported seven vulnerabilities in Elastic software.
-
π Sensitive Information Disclosure β Located sensitive data exposed via public S3 buckets.
- π LinkedIn - Seth Kraft
- π¦ Twitter @skraft09