Cisco has admitted that some of its video surveillance products have “undocumented, default, static user credentials” that could be used to take total control of a device.
The critical-rated bug, detailed here, impacts “Cisco Video Surveillance Manager (VSM) Software running on certain Cisco Connected Safety and Security Unified Computing System (UCS).”
“The vulnerability is due to the presence of undocumented, default, static user credentials for the root account of the affected software on certain systems,” Cisco’s advisory explains.
“An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.”
There’s a tiny ray of sunshine in news “The user credentials are not documented publicly”. The bug also only made it into versions 7.10, 7.11, and 7.11.1 of VSM and even then only if it was pre-installed by Cisco onto four SKUs of the UCS product.
On the downside, version 7.10 was released in March 2018, so the problem – and the chance for the default password to leak – has been present for over six months
The fix is simple: Cisco VSM Software 7.12 is available now.