Cisco Can’t Stop Using Hard-Coded Passwords
There’s a new Cisco vulnerability in its Emergency Responder product:
This vulnerability is due to the presence of static user credentials for the root account that are typically reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.
This is not the first time Cisco products have had hard-coded passwords made public. You’d think it would learn.
R.Cake • October 11, 2023 9:42 AM
pheww… I guess this is what you get if you go cheap: for the “new product”, you just order a bunch of subcontractors to take the design database of a 12 year old product as-is (I am only making this up of course) and touch it up in a few places to only just check all the requirements of the specifying customer.
As the subcons are only paid to do the bare minimum, that is exactly what they will do. They will certainly not have the initiative to do a security review, unless that is explicitly asked for. Very likely they are also not subject matter experts, nor trained in security.
Another nice example of the pleasures of capitalism at work for you…