Pure conjecture. But let’s say solar winds is using a known popular build server, and this build server was only ever going to be accessed by internal resources and employees.
Then let’s say this build server had an unusually high usage of build plugins. And the upgrading of that product was difficult and sometimes troublesome because of these custom plugins and their interdependencies. And so they at some point they missed an upgrade or two on accident, or because upgrading is hard.
Now they are running an build server with several know vulnerabilities. But because that build server isn’t public. It’s really no big deal that it’s a bit out of date. Until it is.
That sounds very interesting and frightening at the same time.
Could it be that there are more companies out there in a kind of similar situation? It would be quite bad of course if such information would become widely know I could imagine.
Then let’s say this build server had an unusually high usage of build plugins. And the upgrading of that product was difficult and sometimes troublesome because of these custom plugins and their interdependencies. And so they at some point they missed an upgrade or two on accident, or because upgrading is hard.
Now they are running an build server with several know vulnerabilities. But because that build server isn’t public. It’s really no big deal that it’s a bit out of date. Until it is.