Cybersecurity professional with ~10 years of experience across IT engineering, vulnerability management, threat intelligence, threat detection and incident response.
In my free time, I hunt for zero-day software vulnerabilities and participate in bug bounty programs.
I was a GrrCON 2025 main stage speaker on independent vulnerability research, presenting on how I discovered my first CVE.
- π LinkedIn - Seth Kraft
- π¦ Twitter @skraft09
-
π― CVE-2025-29471 β Authenticated Stored XSS + Privilege Escalation in Nagios Log Server π₯PoC Code |
βΆοΈ PoC Demo | π° Featured -
𧨠CVE-2025-44824 β Authenticated Elasticsearch DoS via API in Nagios Log Server π₯PoC Code |
βΆοΈ PoC Demo | π° Featured -
π CVE-2025-44823 β Authenticated API Key Exposure in Nagios Log Server π₯PoC Code |
βΆοΈ PoC Demo | π° Featured -
β‘CVE-2025-53392 β Authenticated Arbitrary File Read in pfSense 2.8.0 via Diagnostics Web Interface π₯PoC Code
-
π₯ CVE-2025-54138 β Authenticated Remote File Inclusion in LibreNMS 25.6.0 via
ajax_form.phpπ₯PoC Code
-
π΅οΈ Data Exfiltration β Recovered 300+ insurance policies from a misconfigured system at a Fortune 500 organization.
-
ποΈ Vulnerability Research β Discovered three vulnerabilities in Elastic software.
-
π Sensitive Information Disclosure β Located sensitive data exposed via public S3 buckets.
-
π§Ύ Privacy Flaws β Discovered user privacy risks via exposed PII through metadata from API endpoints on a widely used digital content platform.
