Your IT department just received notice that your network switches received a signed OS update that included feature improvements and fixes for security vulnerabilities. That’s good news, right?
Wrong. Within weeks of the update being installed, you find that your company -and those switches- have been hacked. A China-backed advanced persistent threat (APT) actor gained access to your network through a compromised employee account and took remote control of the switches: executing code to surveil network communications; move laterally within your environment; and take control of high value IT assets and data.
How did that happen? Well, what you didn’t know is that a remotely exploitable flaw related to a third party software module lurked in the signed switch OS update from the vendor that you readily deployed. A patch for that flaw was available for months, so you assumed your large, reputable networking equipment vendor had applied it to secure their products. But you were wrong. That was a sad truth revealed to you first by the Chinese APT group and, after the fact, by the vendor in the release notes for their emergency OS update.
This scenario isn’t hypothetical. Security flaws that lurk in the proprietary, third-party software are the thread that ties together successful hacks of organizations large and small in recent years. Without a way to check the software updates for known risks, organizations big and small are easy prey for malicious actors that actively target flaws hiding in commercial software binaries.
[ Download Today: 2025 Software Supply Chain Security Report | Join the SSCS Report Webinar ]
The exposed state of commercial software
To shed light on this not-so-silent epidemic of insecure commercial software, RL security researchers analyzed 30 widely used third party binaries using Spectra Assure™, RL’s software supply chain security platform. The applications the team scanned included recent versions of widely used commercial and open-source operating systems, web browsers, video conferencing software and virtual private network (VPN) software, among others. Client executables were scanned, as well as installer and setup files for dozens of applications.
What did we find? Many of the scanned packages received a grade of “fail” from Spectra Assure. That was due to chronic issues such as the presence of known vulnerabilities in the software. For example, RL’s scans included 20 distinct versions of VPN clients from six prominent vendors and found that seven of the VPN packages contained one or more software vulnerabilities that are considered “patch-mandated,” meaning that they are being actively exploited by malware and cybercriminal groups.
RL also found a lack of “application hardening.” For example, the commercial applications we scanned often failed to properly employ technologies like Address Space Layout Randomization (ASLR), which protects software from code-injection attacks, or Data Execution Prevention (DEP), a type of vulnerability mitigation that limits the ability of attackers to use stack and heap overflow attacks to plant malicious code.
And then there are development secrets such as access credentials, API keys, and other sensitive information that can power sophisticated attacks against organizations using the vulnerable software. These secrets are often left within commercial software by accident, or they are hard-coded into code to facilitate access to external systems. RL’s scans of commercial software binaries turned up multiple instances of exposed credentials, including the presence of embedded private keys in the Windows installer for a leading commercial video conferencing application.
Commercial software: The fuel for major attacks
The prevalence of severe software security issues — and the lack of attention they receive — fuels our current epidemic of devastating cybercriminal and nation state hacks that have crippled everything from hospital chains to critical infrastructure and local governments.
Microsoft recently disclosed efforts by the Chinese hacking and espionage group known as “Silk Typhoon” to compromise sensitive, targeted organizations in the defense, government, legal, and higher education sectors. Their campaign includes discovering and targeting vulnerable third-party services and software providers, including IT providers, identity management, privileged access management, and RMM solutions, Microsoft said. The group also leverages leaked or stolen secrets like API keys to access downstream customers of the compromised vendors where “they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives.”
This isn’t a new problem. In fact, a lack of transparency about software quality and risk is as old as the software industry itself. What’s changed is the risk landscape: the presence, willingness, and ability of malicious state- and criminal-actors to leverage software flaws to further their mission – whether that be financial or geopolitical.
Wanted: Commercial software transparency and accountability
As long as these software supply chain risks remain unaddressed, they set the stage for bigger and more disruptive cyberattacks in 2025 and beyond. As it stands, our status quo lacks incentives for software producers to secure their software and services. It also greatly complicates efforts by end-user organizations to assess the risks lurking in the software and services delivered to them by their trusted suppliers.
To help give shape to the software supply chain risks percolating in both the public and private sectors, as well as on critical infrastructure, RL’s "2025 Software Supply Chain Security Report" exposes these issues by digging into supply chain attack vectors such as the exploitation of proprietary software flaws that are increasingly the favored tools of both cybercriminal and nation-state actors. The report also provides valuable insights into the evolving cyber-risk landscape, a useful preview of the kinds of threats and attacks that organizations will be asked to defend against in the months and years ahead.
Get RL's new report to learn more about commercial software risks — and what to do about them. Plus: Join RL chief software architect Tomislav Peričin and editorial director Paul Roberts, as well as Chris Hughes, CEO of Aquia, for this webinar, where they will unpack the key findings of the annual report.
