SafeBreach-Labs

SafeBreach-Labs / EventLogin-CVE-2025-29969

Public

Exploitation of CVE-2025-29969

35
8
100% credibility
Found Feb 22, 2026 at 20 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Python
AI Summary

Proof-of-concept scripts from SafeBreach Labs exploiting CVE-2025-29969 in Windows Event Log service to let low-privileged users remotely check file existence or write arbitrary files via a shared folder.

How It Works

1
πŸ” Discover the discovery

You stumble upon SafeBreach's blog post revealing a Windows flaw where regular users can check or place files on other computers.

2
πŸ“₯ Grab the tools

You download the two straightforward checker and writer programs from the project's page.

3
Pick your test
πŸ”
Check for a file

Peek to see if a specific file or folder exists on the target computer using everyday access.

πŸ“€
Place a file

Send your chosen file to exactly where you want it on the target computer.

4
πŸ“ Enter the details

You provide the target computer's address, a regular username and password, and the file path you're interested in.

5
πŸš€ Launch the action

You start the program and it effortlessly uses the security gap to complete your request.

βœ… Goal reached

You now know if the file exists or see your file successfully placed on the other computer, proving the issue.

Sign up to see the full architecture

4 more

Sign Up Free

Star Growth

See how this repo grew from 20 to 35 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is EventLogin-CVE-2025-29969?

Python scripts exploiting CVE-2025-29969, a time-of-check time-of-use flaw in Windows MS-EVEN EventLog protocol dubbed EventLogin. Low-privileged domain users can write arbitrary files remotely to any machine via a simple SMB share, skipping admin rights for persistence plays like startup scripts. It also offers remote file existence checks for recon, revealing installed apps like Wireshark on domain hosts without elevated access.

Why is it gaining traction?

Fills a gap in low-priv Windows lateral movement, echoing Empire post-exploitation tactics but laser-focused on this 2025 EventLog vuln over generic tools. Dead-simple CLI with IP, creds, and path args gets you writing files fast, no complex setup beyond an impacket SMB server. Red teamers dig the primitive for chaining with SMB payloads in domain hunts.

Who should use this?

Red teamers probing Active Directory for low-priv escalation paths. Pentesters dropping payloads like calc.bat into startup folders during engagements. Security researchers validating CVE-2025-29969 patches on Windows fleets.

Verdict

Worth forking for EventLogin exploitation PoCsβ€”clean docs and examples punch above its 18 stars and 1.0% credibility score. Maturity's raw with no tests, so test in labs before prod sims.

(178 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.