{"id":14474,"date":"2025-07-21T08:11:03","date_gmt":"2025-07-21T08:11:03","guid":{"rendered":"https:\/\/newestek.com\/?p=14474"},"modified":"2025-07-21T08:11:03","modified_gmt":"2025-07-21T08:11:03","slug":"from-hardcoded-credentials-to-auth-gone-wrong-old-bugs-continue-to-break-modern-systems","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14474","title":{"rendered":"From hardcoded credentials to auth gone wrong: Old bugs continue to break modern systems"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

At a time when AI-powered cyber threats and sophisticated state-backed hacking groups dominate the headlines, the lack of elementary security continues to pose as the most consistent risk. A recent string of vulnerability disclosures highlights the vulnerability of \u201cmodern\u201d infrastructure to the oldest tricks in the book.<\/p>\n

Cisco, for instance, was found shipping wireless controllers with hardcoded root credentials<\/a>, providing attackers a direct path to privileged access. Anthropic\u2019s internal developer platform, MCP, exposed development environments<\/a> to unauthenticated users due to a misconfigured default. Then the popular observability tool Grafana was hit by a cross-site scripting (XSS) bug <\/a>that felt like a relic from the early 2000s.<\/p>\n

\u201cThese aren\u2019t advanced attack vectors,\u201d said Katie Norton, research manager, DevSecOps & software supply chain security at IDC. \u201cThe problem is less about legacy code and more about the priorities, pressures, and structures within modern development environments. Until security is treated with the same level of importance as performance or reliability, these well-known vulnerabilities will continue to appear in even the most modern software environments.\u201d<\/p>\n

Almost every other expert CSO spoke to echoed Norton\u2019s concern.<\/p>\n

<\/a>Even cybersecurity heavyweights fall for old traps<\/h2>\n

Flaws that should have been left behind a decade ago are thriving inside some of today\u2019s most trusted tools and platforms. Cisco and printer manufacturer Brother<\/a> were both shipping devices with hardcoded credentials baked directly into the firmware or software stack. This practice, long condemned by the security community, essentially hands attackers a key to the front door.<\/p>\n

Sandy Carielli, vice president and principal analyst \u2013 security risk at Forrester, likened these persistent flaws to forgotten scaffolding. \u201cHardcoded credentials are like placeholders that linger. You mean to remove them later\u2013but \u2018later\u2019 never comes.\u201d<\/p>\n

Michael Sampson, principal analyst at Osterman Research, said it is \u201cvery easy\u201d to hardcode credentials, and the practice is threatening integration options at large due to mounting third-party vulnerabilities. \u201cThe mindset is first and foremost speed to market, not security,\u201d he said.<\/p>\n

Exposed or weakly authenticated services are still surfacing across enterprise environments, leading to remote code execution (RCE) and other exploits. Citrix\u2019s application delivery platform saw the return of its notorious Bleed flaw<\/a>\u2013this time dubbed Citrix Bleed 2<\/a>\u2013via incomplete request handling.<\/p>\n

When a flaw re-emerges, as was the case with Citrix Bleed-2, it often turns out that the original fix was incomplete or failed to account for edge cases. That\u2019s partly because, as Careilli pointed out, patching alone is no longer enough. \u201cFixing a vulnerability today requires more than just a patch. It requires organizations to think about the lifecycle of that fix, the testing, and the long-term impact on the system.\u201d<\/p>\n

Earlier this month, Tenable reported Oracle Cloud Infrastructure<\/a> (OCI) falling to RCE over a neglected CSRF protection on a file upload endpoint. Another instance of oversight involved SAP\u2019s encryption implementation<\/a>, despite the company\u2019s enterprise-grade reputation, which lacked proper safeguards for sensitive data, highlighting that outdated or poorly applied cryptography can still slip through in modern deployments.<\/p>\n

Carielli noted, \u201cWe tend to learn the same lessons over and over again when it comes to application security. In our rush to adopt new technologies, best practices often fall by the wayside \u2014 especially in organizations that lack a mature DevSecOps function.\u201d<\/p>\n

<\/a>Why are we still here?<\/h2>\n

For all the industry talk about development practices, threat modelling, and DevSecOps, the same root causes keep surfacing with surprising regularity. \u201cDeveloping code without vulnerabilities, weaknesses, and shortcomings is hard,\u201d Sampson said. \u201cDespite advances in tooling, doing a quick fix that you promise to revisit later has less friction than trying to get everything right the first time.\u201d<\/p>\n

Norton described it as an organizational mindset problem: \u201cThere\u2019s still a cultural disconnect. Developers may lack the training, time, or tools to consistently apply secure practices, while security teams may not be equipped to provide timely, context-aware guidance. Security isn\u2019t always embedded, it\u2019s tacked on.\u201d<\/p>\n

And then there\u2019s AI. \u201cAI-assisted code generation is often trained on imperfect, flawed code in the wild,\u201d warned Carielli. \u201cIt\u2019s not going to magically generate secure code unless we scan it and integrate it into a robust DevSecOps process.\u201d<\/p>\n

Sampson agreed. \u201cAI for code generation and AI for enforcing secure defaults are different solutions, but we often assume they\u2019re the same.\u201d<\/p>\n

Vendors, meanwhile, face few incentives to re-audit aging systems, particularly when those systems are technically \u201cout of support\u201d but still widely deployed. This results in a patchwork of vulnerable endpoints lurking in networks, years after their manufacturers have moved on.<\/p>\n

Infrastructure is stuck in the past<\/h2>\n

These recurring failures often stem from what might be called the infrastructure catch-up problem. Devices like printers, routers, and wireless controllers are still being deployed with embedded security models that haven\u2019t fundamentally changed since the early 2000s. Once installed in enterprise environments, these devices are rarely patched\u2013partly due to operational complexity, and partly because patching is simply not prioritized.<\/p>\n

In parallel, large organizations are layering next-gen tools on top of brittle legacy systems. While developers race to integrate AI and microservices, the underlying platforms are full of old code, default configurations, and forgotten modules.<\/p>\n

\u201cThere\u2019s a belief in some quarters that \u2018it won\u2019t happen to us\u2019\u2013a kind of security by obscurity,\u201d said Sampson. \u201cBut legacy foundations remain a critical root cause across the board.\u201d<\/p>\n

<\/a>What must CISOs do?<\/h2>\n

So what can security leaders do when the same foundational issues keep cropping up? The answer lies not in waiting for silver bullets but in recommitting to basic, deliberate action, experts say.\u00a0<\/p>\n

Carreili recommends embedding tools directly into the pipeline. \u201cIncorporate code scanning tools like SAST<\/a> and SCA<\/a> into the dev pipeline, and make sure that findings are triaged so teams can focus on the most impactful issues.\u201d<\/p>\n

Norton emphasized automation that helps developers fix issues, not just find them. \u201cInvest in tools that provide context-specific secure code suggestions \u2013 AI can help scale security if it\u2019s tuned for remediation, not just detection.\u201d<\/p>\n

And Sampson, with a nod to developer UX, said, \u201cWe need the coding equivalent of Grammarly.\u201d It\u2019s also time to rethink secure-by-design<\/a>. All three experts noted that the current gap is not due to apathy, but scale, complexity, and a lack of alignment. \u201cSecure by design is a continuum, not a one-stop shop,\u201d Sampson said. \u201cPractices have to mature within the organizational culture, or they don\u2019t stick.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

At a time when AI-powered cyber threats and sophisticated state-backed hacking groups dominate the headlines, the lack of elementary security continues to pose as the most consistent risk. A recent string of vulnerability disclosures highlights the vulnerability of \u201cmodern\u201d infrastructure to the oldest tricks in the book. Cisco, for instance, was found shipping wireless controllers with hardcoded root credentials, providing attackers a direct path to… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14474","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14474","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14474"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14474\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14474"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14474"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14474"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}