Cisco patched a Critical default credentials vulnerability CVE-2020-3446 in Cisco vWAAS for Cisco ENCS 5400-W Series and CSP 5000-W Series network appliances.
According to Cisco, the vulnerability could allow an unauthenticated, remote attacker to log into the NFVIS CLI of an unpatched device by using accounts that have a default, static password.
The vulnerability affects Cisco Virtual Wide Area Application Services (vWAAS) with Cisco Enterprise NFV Infrastructure Software (NFVIS)-bundled images for Cisco ENCS 5400-W Series and CSP 5000-W Series appliances.
“The vulnerability exists because the affected software has user accounts with default, static passwords. An attacker with access to the NFVIS CLI of an affected device could exploit this vulnerability by logging into the CLI. A successful exploit could allow the attacker to access the NFVIS CLI with administrator privileges,” Cisco explained in the advisory.
Furthermore, Cisco also released two High severity security advisories:
- Cisco Smart Software Manager On-Prem Privilege Escalation Vulnerability (CVE-2020-3443).
- Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service Vulnerabilities (CVE-2020-3506, CVE-2020-3507).
In addition, Cisco patched over 20 Medium rated vulnerabilities in multiple Cisco products.
Readers can check out the latest Cisco advisories as of August 19, 2020. Network administrators should install security updates to affected devices as soon as possible.