CVE-2025-1568, dubbed “GerriScary”, has shaken the open-source ecosystem by exposing a fundamental weakness in Google’s Gerrit code review system—one that could have enabled attackers to infiltrate 18 of Google’s most widely used open-source projects, including Chromium, ChromiumOS, Dart, and Bazel.
This episode breaks down how the vulnerability was discovered by researchers at Tenable using a subtle but powerful HTTP status code fingerprinting technique. A simple 209 response exposed whether a user had the “addPatchSet” permission on a given project. That small indicator opened the door to a potentially massive software supply chain compromise, allowing malicious patchsets to be injected silently into production workflows.
We also explore the broader threat landscape with critical and actively exploited vulnerabilities, such as:
🔓 CVE-2023-0386 – A Linux kernel flaw exploited for root access
🧨 CVE-2025-23121 – Remote code execution on Veeam Backup Server
💣 CVE-2025-2783 – A Google Chrome zero-day used by the Trinper backdoor
📡 CVE-2023-33538 – Command injection in TP-Link routers, actively exploited
🔥 CVE-2024-1086 – Use-after-free in Linux netfilter, leading to system takeover
From hardcoded keys in enterprise tools to command injections in home routers, we highlight how poor development practices continue to fuel real-world threats.
But this isn’t just about reacting to flaws. We dissect the NIST Secure Software Development Framework (SSDF), now more relevant than ever. You’ll learn how the SSDF’s four core areas—Prepare, Protect, Produce, and Respond—provide a practical roadmap to building secure software, preventing flaws like GerriScary, and rapidly responding when the next critical CVE emerges.
Whether you’re a software engineer, CISO, or security architect, this episode offers a grounded and urgent look at the real-world risks of unpatched systems, insecure third-party dependencies, and weak DevSecOps discipline—and how to fix them.
