Cisco has issued updates to rectify a critical security vulnerability affecting Emergency Responder, which permits unauthorized remote attackers to access vulnerable systems through the use of hardcoded credentials.
Cisco Releases Urgent Patch to Fix Critical Flaw
The vulnerability, identified as CVE-2023-20101 with a CVSS score of 9.8, arises from the existence of static user credentials associated with the root account, typically reserved for developmental purposes, as indicated by the company.
In an advisory, Cisco stated, “This vulnerability could be leveraged by an attacker to gain unauthorized access to an affected system. A successful exploitation could grant the attacker access to the affected system and enable the execution of arbitrary commands with root user privileges.”
The issue impacts Cisco Emergency Responder Release 12.5(1)SU4 and has been addressed in version 12.5(1)SU5. Other releases of the product are not impacted.
The prominent networking equipment company stated that it identified this issue during its internal security testing and emphasized that there have been no known instances of malicious exploitation of the vulnerability in real-world scenarios.
This disclosure comes within a week of Cisco’s alert regarding attempted exploitation of a security flaw in its IOS Software and IOS XE Software (CVE-2023-20109, CVSS score: 6.6), which could enable an authenticated remote attacker to achieve remote code execution on affected systems.
To minimize potential threats, customers are strongly advised to update to the latest version, as temporary workarounds are not available.