CISA and the FBI recently issued an alert emphasizing the importance of a secure-by-design approach in product development. They highlighted critical OS Command Injection vulnerabilities in Cisco, Palo Alto, and Ivanti.
“OS command injection vulnerabilities have long been preventable by clearly separating user input from the contents of a command. Despite this finding, OS command injection vulnerabilities—many of which result from CWE-78—are still a prevalent class of vulnerability.” (CISA)
Defenders, don’t get complacent thinking that “awesome, unhackable security device” you bought will stop the threat actor hoards at the gate. Assume it is breachable, apply defense-in-depth strategies, and keep hunting for those intrusions walking right through your “uber-secure” security devices.
