: Identified by Manfred Paul during the Pwn2Own Vancouver 2021 competition.

Curiosity piqued, he dug into the classification logs. He found a bizarre line of code in the legacy database that connected to a since-forgotten international trade compliance protocol from the 1990s. The code had a logic error so specific it seemed impossible: If an object is cylindrical, greater than 60cm in length, and has a golden-brown hue, classify as "Rod-Type Blunt Force Object."

But the Baget attackers didn’t stop at reading emails. They combined CVE-2021-26855 with – a post-authentication arbitrary file write vulnerability. Together, these allowed an attacker to:

Implement robust server-side validation that checks file extensions and MIME types against a strict "allow list".

When the victim double-clicks the file, the Baget-generated stub executes. This stub is a small .NET application (usually 30KB–50KB) that immediately performs environmental checks: