Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Default Account Exposes Cisco Switches to Remote Attacks

A default account present in Cisco Small Business switches can allow remote attackers to gain complete access to vulnerable devices. The networking giant has yet to release patches, but a workaround is available.

A default account present in Cisco Small Business switches can allow remote attackers to gain complete access to vulnerable devices. The networking giant has yet to release patches, but a workaround is available.

According to Cisco, Small Business switches running any software release come with a default account that is provided for the initial login. The account has full administrator privileges and it cannot be removed from the system.

The account is disabled if an administrator configures at least one other user account with the access privilege set to level 15, which is equivalent to root/administrator and provides full access to the switch. However, if no level 15 accounts are configured or existing level 15 accounts are removed from the device, the default account is re-enabled and the administrator is not notified.

Malicious actors can leverage this account to log in to a device and execute arbitrary commands with full admin privileges.

The vulnerability, tracked as CVE-2018-15439, was reported to Cisco by Thor Simon of Two Sigma Investments LP. The vendor says it’s not aware of any attempts to exploit the vulnerability for malicious purposes.

The flaw affects Cisco Small Business 200, 300 and 500 series switches, Cisco 250 and 350 series smart switches, and Cisco 350X and 550X series stackable managed switches. The vendor says Cisco 220 series smart switches are not impacted.

Until Cisco releases a patch, users have been advised to add at least one user account with privilege level 15 to their device’s configuration. The company’s advisory contains detailed instructions on how such accounts can be configured.

Cisco has also informed customers of a critical authentication bypass vulnerability affecting the management console in its Stealthwatch Enterprise product. A remote attacker can exploit the vulnerability to bypass authentication and execute arbitrary commands with admin rights.

Another critical vulnerability that allows arbitrary command execution with elevated privileges has been found in Cisco Unity Express.

Patches are available for both the Unity Express and the Stealthwatch Enterprise flaws and there is no evidence of malicious exploitation.

Cisco recently rolled out patches for a denial-of-service (DoS) vulnerability impacting some of its security appliances. The security hole has been exploited in attacks and the company released fixes only a week after disclosure.

Related: Cisco, F5 Networks Investigate libssh Vulnerability Impact

Related: Cisco Patches Serious Flaws in RV, SD-WAN, Umbrella Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.