Michael Sampson, principal analyst at Osterman Research, said it is “very easy” to hardcode credentials, and the practice is threatening integration options at large due to mounting third-party vulnerabilities. “The mindset is first and foremost speed to market, not security,” he said.
Exposed or weakly authenticated services are still surfacing across enterprise environments, leading to remote code execution (RCE) and other exploits. Citrix’s application delivery platform saw the return of its notorious Bleed flaw–this time dubbed Citrix Bleed 2–via incomplete request handling.
When a flaw re-emerges, as was the case with Citrix Bleed-2, it often turns out that the original fix was incomplete or failed to account for edge cases. That’s partly because, as Careilli pointed out, patching alone is no longer enough. “Fixing a vulnerability today requires more than just a patch. It requires organizations to think about the lifecycle of that fix, the testing, and the long-term impact on the system.”
Earlier this month, Tenable reported Oracle Cloud Infrastructure (OCI) falling to RCE over a neglected CSRF protection on a file upload endpoint. Another instance of oversight involved SAP’s encryption implementation, despite the company’s enterprise-grade reputation, which lacked proper safeguards for sensitive data, highlighting that outdated or poorly applied cryptography can still slip through in modern deployments.
