<![CDATA[I found a chain of vulnerabilities in systems at RIPE NCC, operator of one of five global RPKI trust anchors.]]>I found a chain of vulnerabilities in systems at RIPE NCC, operator of one of five global RPKI trust anchors. A single click on an ordinary-looking link was enough to disconnect a network from the internet.

My entry points were debugging fields in DNS and crafted TLS certificates. From there, I escalated to the RPKI Dashboard, which controls which networks are authorised to announce your IP addresses to the internet, and the RIPE Database, which stores routing policy. All vulnerabilities have been fixed.

Full write-up: https://mxsasha.eu/posts/ripe-ncc-rpki-exploit-chain/

Link Preview Image
]]>https://board.circlewithadot.net/topic/64420836-8d1d-4656-bf7b-4d9132e2b64a/i-found-a-chain-of-vulnerabilities-in-systems-at-ripe-ncc-operator-of-one-of-five-global-rpki-trust-anchors.RSS for NodeFri, 15 May 2026 04:15:26 GMTWed, 29 Apr 2026 08:54:54 GMT60<![CDATA[Reply to I found a chain of vulnerabilities in systems at RIPE NCC, operator of one of five global RPKI trust anchors. on Wed, 29 Apr 2026 18:25:28 GMT]]>@sash This is phenomenal! I'm reading this on my lunch break.

]]>https://board.circlewithadot.net/post/https://en.osm.town/ap/users/115702352497105111/statuses/116489396470079536https://board.circlewithadot.net/post/https://en.osm.town/ap/users/115702352497105111/statuses/116489396470079536Wed, 29 Apr 2026 18:25:28 GMT<![CDATA[Reply to I found a chain of vulnerabilities in systems at RIPE NCC, operator of one of five global RPKI trust anchors. on Wed, 29 Apr 2026 16:47:57 GMT]]>@sash Interesting!

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/rmd1023/statuses/116489013025463363https://board.circlewithadot.net/post/https://infosec.exchange/users/rmd1023/statuses/116489013025463363Wed, 29 Apr 2026 16:47:57 GMT<![CDATA[Reply to I found a chain of vulnerabilities in systems at RIPE NCC, operator of one of five global RPKI trust anchors. on Wed, 29 Apr 2026 13:39:17 GMT]]>@sash « I stumbled into the first vulnerability while debugging the reverse DNS zone for my IPv6 range in RIPEstat, RIPE NCC’s network information tool. A blue marquee started scrolling across the page, from an XSS payload I had put in my DNS server months earlier. »

actual irl lol, excellent work

]]>https://board.circlewithadot.net/post/https://mendeddrum.org/users/fanf/statuses/116488271132951638https://board.circlewithadot.net/post/https://mendeddrum.org/users/fanf/statuses/116488271132951638Wed, 29 Apr 2026 13:39:17 GMT<![CDATA[Reply to I found a chain of vulnerabilities in systems at RIPE NCC, operator of one of five global RPKI trust anchors. on Wed, 29 Apr 2026 10:07:35 GMT]]>@sash thank you for your service - and a great write up for all on your discovery! ✌💙

]]>https://board.circlewithadot.net/post/https://hachyderm.io/users/nicksilkey/statuses/116487438679596700https://board.circlewithadot.net/post/https://hachyderm.io/users/nicksilkey/statuses/116487438679596700Wed, 29 Apr 2026 10:07:35 GMT<![CDATA[Reply to I found a chain of vulnerabilities in systems at RIPE NCC, operator of one of five global RPKI trust anchors. on Wed, 29 Apr 2026 09:50:53 GMT]]>@sash 🙏 And we live another day

]]>https://board.circlewithadot.net/post/https://mastodon.social/users/photovince/statuses/116487373020768557https://board.circlewithadot.net/post/https://mastodon.social/users/photovince/statuses/116487373020768557Wed, 29 Apr 2026 09:50:53 GMT<![CDATA[Reply to I found a chain of vulnerabilities in systems at RIPE NCC, operator of one of five global RPKI trust anchors. on Wed, 29 Apr 2026 09:46:35 GMT]]>@sash Great work Sasha (as many other things you have done! :), and thank you for responsibly disclosing it and patiently working with them to properly resolve it.

]]>https://board.circlewithadot.net/post/https://secluded.ch/users/jeroen/statuses/116487356115972668https://board.circlewithadot.net/post/https://secluded.ch/users/jeroen/statuses/116487356115972668Wed, 29 Apr 2026 09:46:35 GMT<![CDATA[Reply to I found a chain of vulnerabilities in systems at RIPE NCC, operator of one of five global RPKI trust anchors. on Wed, 29 Apr 2026 09:41:50 GMT]]>@sash ye, thats where the identity separation would come into play for me - the account that can nuke your RPKI shouldn't be the one that you do for e-learning. Though I haven't worked with RIPE NCC so I dont know how feasible that is.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/nyanbinary/statuses/116487337443940700https://board.circlewithadot.net/post/https://infosec.exchange/users/nyanbinary/statuses/116487337443940700Wed, 29 Apr 2026 09:41:50 GMT<![CDATA[Reply to I found a chain of vulnerabilities in systems at RIPE NCC, operator of one of five global RPKI trust anchors. on Wed, 29 Apr 2026 09:40:22 GMT]]>@nyanbinary yes, although in this case, "administrative" includes almost any RIPE NCC platform, like e-learning courses, the blog (RIPE Labs), running an Atlas measurement, submitting a talk to a RIPE meeting, and so on. The same session token covers all services.

]]>https://board.circlewithadot.net/post/https://hachyderm.io/users/sash/statuses/116487331674054481https://board.circlewithadot.net/post/https://hachyderm.io/users/sash/statuses/116487331674054481Wed, 29 Apr 2026 09:40:22 GMT<![CDATA[Reply to I found a chain of vulnerabilities in systems at RIPE NCC, operator of one of five global RPKI trust anchors. on Wed, 29 Apr 2026 09:37:49 GMT]]>@sash this is very cool & absolutely gets me thinking about the need for separating standard sessions/identities from administrative sessions again

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/nyanbinary/statuses/116487321670924270https://board.circlewithadot.net/post/https://infosec.exchange/users/nyanbinary/statuses/116487321670924270Wed, 29 Apr 2026 09:37:49 GMT<![CDATA[Reply to I found a chain of vulnerabilities in systems at RIPE NCC, operator of one of five global RPKI trust anchors. on Wed, 29 Apr 2026 09:11:49 GMT]]>@sash amazing work!

]]>https://board.circlewithadot.net/post/https://ioc.exchange/users/wall_e/statuses/116487219418733486https://board.circlewithadot.net/post/https://ioc.exchange/users/wall_e/statuses/116487219418733486Wed, 29 Apr 2026 09:11:49 GMT<![CDATA[Reply to I found a chain of vulnerabilities in systems at RIPE NCC, operator of one of five global RPKI trust anchors. on Wed, 29 Apr 2026 08:56:03 GMT]]>My disclosure process with RIPE NCC took 14 months, 26 messages, and included two incorrect fixes for the same vulnerability. I wrote about the process, with thoughts on what better would look like for RIPE NCC and others: https://mxsasha.eu/posts/ripe-ncc-disclosure-retrospective/

]]>https://board.circlewithadot.net/post/https://hachyderm.io/users/sash/statuses/116487157409423571https://board.circlewithadot.net/post/https://hachyderm.io/users/sash/statuses/116487157409423571Wed, 29 Apr 2026 08:56:03 GMT