I wonder how many other 5000+ employee companies that develop their own remote access software have an entire separate redundant system..

Their unique risk is "our remote access product broke (globally, or widespread) but we can't fix it because we don't have access anymore... because we use it too and it's broken".

You can cut off your own arms pretty easily even if you're not the vendor, but it would look particularly bad for them.

Yeah in theory disciplined updates and testing should resolve the risk, but sensible to have a fallback.

Also interesting question:

How many 5000+ employee companies do have redundant system? How may have only a single highly proprietary system without any fallback?

Here is the link to the full technical paper: https://research.checkpoint.com/2020/apache-guacamole-rce/

I didn't realize the tool was called "guacamole". Now the headline makes more sense.

I applaud them for using open source software, and contributing back their findings, but my first thought reading this was "isn't it a little odd a security appliance vendor who actively markets a "Remote Secure Access" system doesn't rely on there own systems?" Their website has a whitepaper link on every page on how your business should use them for remote access.

'We chose two different remote access solutions, so in the event of one failing, we would have redundancy and an alternative to enable work to continue,” says Fischbein, “One of the solutions was based on open-source Apache Guacamole'

I suspect you are right that it's just a story telling prop, but they did address why it might be practical for them to have such a solution in place.