Welcome

👋 Hi, I'm Devran Atuğ

Red Team Security Engineer · Bug Bounty Hunter · TEDx Organizer

I’m a 19‑year‑old university student with ~2 years of hands‑on cybersecurity experience. My core focus areas are Web & Mobile Application Security, real‑world vulnerability research, and exploit development. I also work with Amazon Web Services (AWS), delve into Active Directory defence & attack surface analysis, and explore digital forensics.

  • CTF Competitions: I regularly compete in national & international CTFs, building offensive tooling and sharing knowledge with teammates. I regularly compete in national & international CTFs, building offensive tooling and sharing knowledge with teammates.

  • Bug Bounty: Listed in multiple local and international Hall of Fame pages for responsible disclosure efforts.

  • Professional Services: Provide penetration‑testing engagements for organisations, emphasising actionable remediation and clear reporting.

  • Continuous Learning: I invest heavily in research, reverse‑engineering, and lab environments to sharpen my tradecraft.

🚀 Featured Articles

  • CVE‑2025‑24801 – GLPI Pre-Authentication RCE

    A critical remote code execution (RCE) vulnerability affecting GLPI version 10.0.17. An unauthenticated attacker can upload a malicious PHP file through a vulnerable endpoint and execute it, leading to full system compromise.
    📄 Details: [→ Document]

  • CVE‑2025‑29927 – Next.js v12–v15 Middleware Bypass

    Middleware controls can be bypassed by forging the x-middleware-subrequest header in Next.js versions 12 through 15.
    📄 Details: [→ Document]

  • CVE‑2025‑24813 – Tomcat Session Deserialization RCE

    Chained RCE achieved through partial PUT of .session files and subsequent deserialization in Apache Tomcat.
    📄 Details: [→ Document]

  • CVE‑2020‑17530 – Apache Struts2 OGNL Expression RCE

    Critical RCE vulnerability in Apache Struts2 caused by improper handling of OGNL expressions.
    📄 Details: [→Document]

  • CVE‑2022‑24112 – Apache APISIX Batch-Requests RCE

    IP-based access control can be bypassed by spoofing X-Real-IP: 127.0.0.0.1, leading to unauthorized RCE via the batch-requests plugin.
    📄 Details: [→ Document]

  • CVE‑2025‑27590 – Oxidized Web RCE

    Remote command execution through multipart/form-data input passed directly to the OS without validation.
    📄 Details: [→ Document]

🔗 Connect with Me

Twitter/X · GitHub · LinkedIn

Updated on
CVE-2025-24801