I am currently pursuing an integrated Bachelor's and Master's degree in Cyberspace Security at Nanjing University of Posts and Telecommunications. I used to participate in CTF competitions as a Pwn player for the X1cT34m and SU teams. At present, I am focusing on IoT security, system and software security, and natural language processing (NLP).
I have previously committed to vulnerability discovery in IoT firmware. During that period of time, I independently discovered hundreds of vulnerabilities in IoT devices, all of which were authorized by CVE, CNVD or CNNVD. Among them, dozens of vulnerabilities have been publicly acknowledged by leading international manufacturers. Additionally, I have been inducted into the Hall of Fame by both ASUS and Zyxel.
The following are some of the publicly disclosed vulnerabilities for which I have received acknowledgments.
-
Ruijie Networks ReyeeOS Unauthorized RCE vulnerability CVE-2023-34644. The vulnerability affects hundreds of device models under categories including routers, switches, wireless access points, and wireless access controllers, potentially allowing direct control nearly 200,000 devices on the public internet.
-
Cisco RV34x Series Unauthorized File Upload vulnerability CVE-2023-20073 and the vulnerability is considered by TOP10VPN to be one of the three most critical VPN vulnerabilities in 2023.
-
Cisco RV0xx, RV32x Series Remote Command Execution vulnerabilities: CVE-2023-20117 & CVE-2023-20128 and CVE-2023-20118
-
Xiaomi AX9000 Router Command Injection vulnerabilities: CVE-2023-26315 and CVE-2024-45348
-
Zyxel NBG6604 Router Command Injection vulnerability: CVE-2023-33013
-
ASUS Several devices have multiple Remote Command Execution vulnerabilities: CVE-2023-38031 & CVE-2023-38032 & CVE-2023-38033 & CVE-2023-39236 & CVE-2023-39237
To travel on a public budget, I participated in many competitions. Here are some of the awards that I remember.
-
National College Student Information Security Competition - Grand Final - First Prize
-
XCTF International Network Attack and Defense League - Grand Final - First Prize
-
"Rao Pai Cup" Internet of Vehicles Security Challenge - Grand Final - Special Prize (Champion)
-
National College Student Information Security Competition - Semifinal - First Prize (Champion)
-
”Qiangwang” International Elite Challenge On Cyber Mimic Defense - Grand Final - Second Prize
-
Lanqiao Cup (Quanqian Cup) Programming Competition - Grand Final - Second Prize
Due to specific vulnerability disclosure policies, I seldom write technical blogs. Nevertheless, I'm honored that some of my articles have achieved significant viewership.
-
Reproducing the DIR-815 Stack-overflow Vulnerability from scratch
-
Vulnerability Analysis and Reproduction Related to the UPnP Protocol in CGIBIN
-
Discovering an unauthorized RCE vulnerability affecting all devices (CVE-2023-34644)
[To be updated]