Cisco has released updates to address a critical security flaw affecting Emergency Responder that allows unauthenticated remote attackers to log into susceptible systems using encrypted credentials.
The vulnerability, tracked as CVE-2023-20101 (CVSS Score: 9.8), is due to the presence of static user credentials for the root account which, according to the company, is generally reserved for use during development.
“An attacker could exploit this vulnerability by using the account to log in to an affected system,” Cisco said in an advisory. “A successful exploit could allow the attacker to log into the affected system and execute arbitrary commands as the root user.”
The issue affects Cisco Emergency Responder Release 12.5(1)SU4 and is fixed in Release 12.5(1)SU5. Other versions of the product are not affected.
The networking equipment company said it discovered the issue during internal security testing and is not aware of any malicious use of the vulnerability in the wild.
The disclosure comes less than a week after Cisco warned of an attempted exploitation of a security flaw in its IOS software and IOS XE software (CVE-2023-20109, CVSS score: 6.6) that could allow an authenticated remote attacker to achieve remote code execution on affected systems.
In the absence of workarounds, customers are recommended to update to the latest version to mitigate potential threats.