At a time when AI-powered cyber threats and sophisticated state-backed hacking groups dominate the headlines, the lack of elementary security continues to pose as the most consistent risk. A recent string of vulnerability disclosures highlights the vulnerability of “modern” infrastructure to the oldest tricks in the book.
Cisco, for instance, was found shipping wireless controllers with hardcoded root credentials, providing attackers a direct path to privileged access. Anthropic’s internal developer platform, MCP, exposed development environments to unauthenticated users due to a misconfigured default. Then the popular observability tool Grafana was hit by a cross-site scripting (XSS) bug that felt like a relic from the early 2000s.
“These aren’t advanced attack vectors,” said Katie Norton, research manager, DevSecOps & software supply chain security at IDC. “The problem is less about legacy code and more about the priorities, pressures, and structures within modern development environments. Until security is treated with the same level of importance as performance or reliability, these well-known vulnerabilities will continue to appear in even the most modern software environments.”
Almost every other expert CSO spoke to echoed Norton’s concern.
Even cybersecurity heavyweights fall for old traps
Flaws that should have been left behind a decade ago are thriving inside some of today’s most trusted tools and platforms. Cisco and printer manufacturer Brother were both shipping devices with hardcoded credentials baked directly into the firmware or software stack. This practice, long condemned by the security community, essentially hands attackers a key to the front door.
Sandy Carielli, vice president and principal analyst – security risk at Forrester, likened these persistent flaws to forgotten scaffolding. “Hardcoded credentials are like placeholders that linger. You mean to remove them later–but ‘later’ never comes.”
Michael Sampson, principal analyst at Osterman Research, said it is “very easy” to hardcode credentials, and the practice is threatening integration options at large due to mounting third-party vulnerabilities. “The mindset is first and foremost speed to market, not security,” he said.
Exposed or weakly authenticated services are still surfacing across enterprise environments, leading to remote code execution (RCE) and other exploits. Citrix’s application delivery platform saw the return of its notorious Bleed flaw–this time dubbed Citrix Bleed 2–via incomplete request handling.
When a flaw re-emerges, as was the case with Citrix Bleed-2, it often turns out that the original fix was incomplete or failed to account for edge cases. That’s partly because, as Careilli pointed out, patching alone is no longer enough. “Fixing a vulnerability today requires more than just a patch. It requires organizations to think about the lifecycle of that fix, the testing, and the long-term impact on the system.”
Earlier this month, Tenable reported Oracle Cloud Infrastructure (OCI) falling to RCE over a neglected CSRF protection on a file upload endpoint. Another instance of oversight involved SAP’s encryption implementation, despite the company’s enterprise-grade reputation, which lacked proper safeguards for sensitive data, highlighting that outdated or poorly applied cryptography can still slip through in modern deployments.
Carielli noted, “We tend to learn the same lessons over and over again when it comes to application security. In our rush to adopt new technologies, best practices often fall by the wayside — especially in organizations that lack a mature DevSecOps function.”
Why are we still here?
For all the industry talk about development practices, threat modelling, and DevSecOps, the same root causes keep surfacing with surprising regularity. “Developing code without vulnerabilities, weaknesses, and shortcomings is hard,” Sampson said. “Despite advances in tooling, doing a quick fix that you promise to revisit later has less friction than trying to get everything right the first time.”
Norton described it as an organizational mindset problem: “There’s still a cultural disconnect. Developers may lack the training, time, or tools to consistently apply secure practices, while security teams may not be equipped to provide timely, context-aware guidance. Security isn’t always embedded, it’s tacked on.”
And then there’s AI. “AI-assisted code generation is often trained on imperfect, flawed code in the wild,” warned Carielli. “It’s not going to magically generate secure code unless we scan it and integrate it into a robust DevSecOps process.”
Sampson agreed. “AI for code generation and AI for enforcing secure defaults are different solutions, but we often assume they’re the same.”
Vendors, meanwhile, face few incentives to re-audit aging systems, particularly when those systems are technically “out of support” but still widely deployed. This results in a patchwork of vulnerable endpoints lurking in networks, years after their manufacturers have moved on.
Infrastructure is stuck in the past
These recurring failures often stem from what might be called the infrastructure catch-up problem. Devices like printers, routers, and wireless controllers are still being deployed with embedded security models that haven’t fundamentally changed since the early 2000s. Once installed in enterprise environments, these devices are rarely patched–partly due to operational complexity, and partly because patching is simply not prioritized.
In parallel, large organizations are layering next-gen tools on top of brittle legacy systems. While developers race to integrate AI and microservices, the underlying platforms are full of old code, default configurations, and forgotten modules.
“There’s a belief in some quarters that ‘it won’t happen to us’–a kind of security by obscurity,” said Sampson. “But legacy foundations remain a critical root cause across the board.”
What must CISOs do?
So what can security leaders do when the same foundational issues keep cropping up? The answer lies not in waiting for silver bullets but in recommitting to basic, deliberate action, experts say.
Carreili recommends embedding tools directly into the pipeline. “Incorporate code scanning tools like SAST and SCA into the dev pipeline, and make sure that findings are triaged so teams can focus on the most impactful issues.”
Norton emphasized automation that helps developers fix issues, not just find them. “Invest in tools that provide context-specific secure code suggestions – AI can help scale security if it’s tuned for remediation, not just detection.”
And Sampson, with a nod to developer UX, said, “We need the coding equivalent of Grammarly.” It’s also time to rethink secure-by-design. All three experts noted that the current gap is not due to apathy, but scale, complexity, and a lack of alignment. “Secure by design is a continuum, not a one-stop shop,” Sampson said. “Practices have to mature within the organizational culture, or they don’t stick.”