Cisco fixes hard-coded password ‘backdoor’ flaw in Wi-Fi access points
Cisco puts default passwords into its products? Is today the 1st of April?
Cisco network administrators have been advised to update some wireless access point devices following the discovery of two “critical” vulnerabilities.
The company said its Aironet 1800-series devices includes a “critical” vulnerability that would effectively allow an attacker to walk in with backdoor access.
In an advisory posted late Tuesday, Cisco explained the flaw is “due to the presence of a default user account that is created when the device is installed,” but added that the account does not have full administrative rights.
“An attacker could exploit this vulnerability by logging in to the device by using the default account, which could allow the attacker to gain unauthorized access to the device,” the advisory read.
The company disclosed another flaw, rated “critical,” in some versions of Cisco’s Identity Services Engine (ISE), which could allow a remote attacker attackers to gain unauthorized access to the device’s administrative portal.
An attacker exploiting the flaw could conduct a “complete compromise” of the affected device.
Another flaw affecting the Identity Services Engine was rated “medium” in severity, and allows a remote attacker access to “specific web resources” for administrators.
Cisco released a fourth patch affecting its Wireless LAN Controller, which if exploited could also allow an attacker to “compromise the device completely.”
Affected devices include Cisco 2500-series, 550-series, 8500-series, and Flex 7500-series devices, and virtual wireless controllers — among other devices