This round includes yet another LPE in GlobalProtect.
https://security.paloaltonetworks.com/CVE-2025-2183
Shared default creds across Cortex Broker VMs is a dumb one:
https://security.paloaltonetworks.com/CVE-2025-2184
Exposed CAKs is just fun to say because I'm 12:
https://security.paloaltonetworks.com/CVE-2025-2182
And a few others in there. Happy hacking.
Petition to rename GlobalProtect to sudo since all it does is provide PrivEsc.
@cR0w@infosec.exchange your post will be shared with my team mates and we will (likely) cry-laugh
@cR0w@infosec.exchange I'd love to look at the correlation between scaling pushes and CVE disclosure. I bet there's a constant offset there. Oh, your company is mass hiring to build product X in a big push to market? Cool, we'll watch the CVE dumps 5-7 years from now.
@cR0w@infosec.exchange fffffff
*checks last sudo release from Palo...
6.2.8-c2
where you guys getting 6.3.3?!!?!
@cR0w@infosec.exchange Owie.
@cR0w@infosec.exchange lmfao
@nerdpr0f@infosec.exchange @cR0w@infosec.exchange
My theory is most vulnerabilities in that class exist because the platform was built on something long exploited but they refused to patch also known as "somebody else's problem"......
@nerdpr0f@infosec.exchange That would be some interesting research.
@Fork_Merge@mastodon.social @cR0w@infosec.exchange My hypothesis is that it's a function of the push for time-to-market. Rather than give people the time needed to develop a complex platform that works well and is sustainable long-term, the market forces incentivize behaviors that prioritize short-term optimization over long-term risk reduction.
@nerdpr0f@infosec.exchange @Fork_Merge@mastodon.social "This will work great for two years when my options vest and I move to another gig."
@cR0w@infosec.exchange @Fork_Merge@mastodon.social Maybe, but at the higher level.
This will work well enough until we've made enough profit from it that we can just discontinue it and sell people the replacement.
@nerdpr0f@infosec.exchange @Fork_Merge@mastodon.social "This will work great for two years when my options vest and I move to another gig."
@nerdpr0f@infosec.exchange @Fork_Merge@mastodon.social Ah. Yeah, that checks out.
@cR0w@infosec.exchange @Fork_Merge@mastodon.social I'm just increasingly thinking that there aren't very many incentives - and that there may well be incentives in the opposite direction - for making quality products.
@cR0w@infosec.exchange @Fork_Merge@mastodon.social Maybe, but at the higher level.
This will work well enough until we've made enough profit from it that we can just discontinue it and sell people the replacement.
@nerdpr0f@infosec.exchange @Fork_Merge@mastodon.social That's certainly the case in the security industry. The worse they perform, the more they sell.
@nerdpr0f@infosec.exchange @Fork_Merge@mastodon.social Ah. Yeah, that checks out.
@cR0w@infosec.exchange @Fork_Merge@mastodon.social I'm just increasingly thinking that there aren't very many incentives - and that there may well be incentives in the opposite direction - for making quality products.
@cR0w@infosec.exchange @Fork_Merge@mastodon.social I'm just increasingly thinking that there aren't very many incentives - and that there may well be incentives in the opposite direction - for making quality products.
@nerdpr0f@infosec.exchange @Fork_Merge@mastodon.social That's certainly the case in the security industry. The worse they perform, the more they sell.
@nerdpr0f@infosec.exchange @Fork_Merge@mastodon.social That's certainly the case in the security industry. The worse they perform, the more they sell.
cR0w
