This article originally appeared on ZDNet.
Cisco has supplied a patch for its Video Surveillance Manager software to erase hardcoded default credentials for the root account.
Admins responsible for appliances running Cisco's surveillance software should urgently patch the flaw, which has a Common Vulnerability Scoring System (CVSS) version 3 score of 9.8 out of a possible 10.
The flaw would allow an attacker to control an affected system as root user if they discovered the default credentials.
"The vulnerability is due to the presence of undocumented, default, static user credentials for the root account of the affected software on certain systems," Cisco notes in its advisory.
"An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user."
SEE: Information security policy (Tech Pro Research)
The flaw, tracked as CVE-2018-15427, affects preinstalled instances of Cisco Video Surveillance Manager (VSM) Software Releases 7.10, 7.11, and 7.11.1 on four of the company's Connected Safety and Security Unified Computing System (UCS) appliances.
Affected models include CPS-UCSM4-1RU-K9, CPS-UCSM4-2RU-K9, KIN-UCSM5-1RU-K9, and KIN-UCSM5-2RU-K9.
Cisco said the flaw exists because it failed to disable the root account and default credentials before it installed the software. The user credentials have not been publicly disclosed, according to Cisco, which says it found the issue during internal testing.
The fix follows an update for a similar static credential flaw affecting the Linux variant of Cisco's networking operating system, IOS XE.
Cisco initially patched the flaw in March but clarified last week that it also affected IOS XE software running on its Integrated Services Virtual Router (ISRv).
The company this year has removed several hardcoded password bugs from its software, including one found in Digital Network Architecture (DNA) Center, and Cisco Prime Collaboration Provisioning (PCP) software.
- Cisco critical flaw warning: These 10/10 severity bugs need patching now (ZDNet)
- Cisco patches critical Nexus flaws: Are your switches vulnerable? (ZDNet)
- Cisco: Update now to fix critical hardcoded password bug, remote code execution flaw (ZDNet)
- Cisco warns customers of critical security flaws, advisory includes Apache Struts (ZDNet)
- Cisco updates ASR 9000 edge routing platform to carry users to 5G, multicloud world (TechRepublic)
- Apple and Cisco pool their might to shield companies from cyber risks (CNET)
Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several Australian publications, including the Sydney Morning Herald online. He's interested primarily in how information technology impacts the way business and people communicate, trade, and consume.