Another company got caught his hand in the cookie jar, and this time we are not talking of the firmware of some cheap home router:
CVE-2017-10151, CVSS 3.0 Base Score 10.0:
Vulnerability in the Oracle Identity Manager component of Oracle Fusion Middleware (subcomponent: Default Account). Supported versions that are affected are 11.1.1.7, 11.1.2.3 and 12.2.1.3.
Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager.
While the vulnerability is in Oracle Identity Manager, attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager.
The issue is pretty simple: Oracle added a default account with administrative privileges and hardcoded credentials to their product to alleviate development work. This what is commonly called a backdoor.
While there is obviously no statistics available about such practices …