Cisco has released updates to address a critical security flaw impacting Emergency Responder that allows unauthenticated, remote attackers to sign into susceptible systems using hard-coded credentials.
The vulnerability, tracked as CVE-2023-20101 (CVSS score: 9.8), is due to the presence of static user credentials for the root account that the company said is usually reserved for use during development.
“An attacker could exploit this vulnerability by using the account to log in to an affected system,” Cisco said in an advisory. “A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.”
The issue impacts Cisco Emergency Responder Release 12.5(1)SU4 and has been addressed in version 12.5(1)SU5. Other releases of the product are not impacted.
The networking equipment major said it discovered the problem during internal security testing and that it’s not aware of any malicious use of the vulnerability in the wild.
The disclosure comes less than a week after Cisco warned of attempted exploitation of a security flaw in its IOS Software and IOS XE Software (CVE-2023-20109, CVSS score: 6.6) that could permit an authenticated remote attacker to achieve remote code execution on affected systems.
In the absence of temporary workarounds, customers are recommended to update to the latest version to mitigate potential threats.
-REFERENCE: https://thehackernews.com/2023/10/cisco-releases-urgent-patch-to-fix.html
-K.Z