Cisco says it discovered and then issued a patch for a critical vulnerability in its Video Surveillance Manager (VSM) software, which the networking-technology giant markets to schools, airports, businesses and other facilities worldwide.
The bug entails hard-coded credentials that attackers can exploit to gain unauthorized access. Cisco says the software, on certain systems, has static credentials for the root account. That means the username and password are set by default and can’t be changed by the user. An attacker could use those credentials to get unauthorized access to the system.
The root account was supposed to be disabled before Cisco installed the software on vulnerable platforms, the company said.
“A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user,” Cisco’s alert says.
The credentials are undocumented, so the attacker would have to somehow independently know them in order to exploit them. The company is still urging users to patch the bug, which it says it discovered while conducting internal security testing.
The flaw has a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10.
The vulnerability applies to VSM versions 7.10, 7.11 and 7.11.1, if Cisco preinstalled the software on certain iterations of its Connected Safety and Security Unified Computing System listed here. The company has released version 7.12, which fixes the vulnerability and is available for users to upgrade to now.
Cisco says there are no workarounds aside from updating the software, which users with a license can do for free. The company says that, as far as it knows, the flaw has not been publicly exploited.
In a similar case, Cisco last week issued a critical update to fix a static credential bug IOS XE, a Linux-based networking operating system.