Critical flaw affects Cisco Video Surveillance Manager
Cisco has patched a critical vulnerability in the Cisco Video Surveillance Manager (VSM) could be exploited by an unauthenticated remote attacker to gain root access.
Cisco has fixed a critical vulnerability in the Cisco Video Surveillance Manager software running on some Connected Safety and Security Unified Computing System (UCS) platforms.
The flaw could give an unauthenticated, remote attacker the ability to execute arbitrary commands as root on targeted systems.
The software running on certain systems includes default, static credentials for the root account that could allow attackers to gain root access.
The credentials for the account are undocumented.
“The vulnerability is due to the presence of undocumented, default, static user credentials for the root account of the affected software on certain systems,” reads the advisory published by Cisco.
“An attacker could exploit this vulnerability by using the account to log in to an affected system.”
The vulnerability impacts Cisco Video Surveillance Manager (VSM) Software releases 7.10, 7.11, and 7.11.1. The flaw only affects systems where the software was preinstalled by Cisco and only impacts the CPS-UCSM4-1RU-K9, CPS-UCSM4-2RU-K9, KIN-UCSM5-1RU-K9, and KIN-UCSM5-2RU-K9 Connected Safety and Security UCS platforms.
“This vulnerability exists because the root account of the affected software was not disabled before Cisco installed the software on the vulnerable platforms, and default, static user credentials exist for the account. The user credentials are not documented publicly,” continues the Cisco advisory.
At the time, there are no workarounds for this vulnerability, users urge to upgrade to VSM Release 7.12 to address the flaw.
Cisco confirmed that it is not aware of any attack leveraging the issue.
“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability,” Cisco concludes.
Recently Cisco issued another warning for a critical static credential flaw in its IOS XE software.