cR0wSolarWinds published a CVE that's not listed in the advisories on their site yet. Normally IDGAF about their stuff but hardcoded creds and keys are a big no-no and so easily avoided. This one is in Database Performance Analyzer.
https://www.cve.org/CVERecord?id=CVE-2025-26398
#patchTuesday
jonw@cR0w@infosec.exchange meh. It's only a 5.6 🙄
cR0w@jonw@cosocial.ca It's a hardcoded key. Even though this particular one may have some special conditions to be met and is given a low CVSS score, it shows the kind of shit that a company that size has in prod. I would bet a shiny nickel that it's not the only one still out there in their products.
jonw@cR0w@infosec.exchange I see I chose the wrong smiley. It was supposed to be sarcastic. Ofc that's an idiotic way to get your shit on the CVE board.
cR0w@jonw@cosocial.ca Ah. I get it now. I thought it was meant to imply you were rolling your eyes at me. Even with emojis, text between strangers is hard. I appreciate the clarification.