From Discovery to Disclosure: ReCrystallize Server Vulnerabilities

This blog post describes the discovery and responsible disclosure of multiple vulnerabilities in ReCrystallize Server — notably an authentication bypass (CVE-2024-26331) and an unrestricted file upload that enables remote code execution (CVE-2024-28269). The author demonstrates exploitation (including RCE as SYSTEM and outbound SMB/NTLM capture), details additional insecure features (unauthenticated file download, LFI-like behavior), and provides mitigation guidance and a disclosure timeline.