Cisco patched a critical in its Video Surveillance Manager (VSM), which, if left unpatched, could allow an unauthenticated attacker to log in as root.
The vulnerability impacts only the VSM software running on certain Connected Safety and Security Unified Computing System (UCS) platforms.
The issue resides in the presence of default, static credentials for the root account, Cisco officials said in an advisory.
The credentials for the account are undocumented and only impact certain systems, Cisco said.
An attacker exploiting the vulnerability could log in to the affected systems and execute arbitrary commands as the root user.
The bug affects VSM Software releases 7.10, 7.11, and 7.11.1.
The issue, however, only comes to life if the software was preinstalled by Cisco and only impacts the CPS-UCSM4-1RU-K9, CPS-UCSM4-2RU-K9, KIN-UCSM5-1RU-K9, and KIN-UCSM5-2RU-K9 Connected Safety and Security UCS platforms.
“This vulnerability exists because the root account of the affected software was not disabled before Cisco installed the software on the vulnerable platforms, and default, static user credentials exist for the account. The user credentials are not documented publicly,” Cisco said in its advisory.