Cisco has released an update to address a critical security flaw affecting emergency responders that allows unauthenticated, remote attackers to sign in to vulnerable systems using hard-coded credentials.
The vulnerability, tracked as CVE-2023-20101 (CVSS score: 9.8), is due to the presence of static user credentials for the root account, which the company said are typically reserved for use during development.
“An attacker could exploit this vulnerability by using the account to log in to an affected system,” Cisco said in an advisory. “A successful exploit could allow the attacker to log into the affected system and execute arbitrary commands as the root user.”
The issue affects Cisco Emergency Responder release 12.5(1)SU4 and is addressed in version 12.5(1)SU5. Other releases of the product are not affected.
The networking equipment major said it discovered the issue during internal security testing and is not aware of any malicious use of the vulnerability in the wild.
The disclosure comes less than a week after Cisco warned of attempted exploitation of a security flaw in its IOS Software and IOS XE Software (CVE-2023-20109, CVSS score: 6.6) that could permit an authenticated remote attacker to achieve remote code execution on affected systems.
In the absence of temporary solutions, customers are advised to update to the latest version to mitigate potential threats.
