Cisco Removes Backdoor Account from IOS XE Software

[Faybert]

Cisco removed today a backdoor account from its IOS XE operating system that would have allowed a remote attacker to log into Cisco routers and switches with a high-privileged account.

The company says the "undocumented user account" only impacts devices running Cisco XE Software 16.x —an operating system deployed mostly with Cisco ASR routers and Catalyst switches.

Cisco says devices running IOS XE 16.x come with a hidden default account named "cisco," and a static password that Cisco didn't reveal to avoid future exploitation attempts.

Cisco devices don't usually come with default accounts, and network admins must set up an account during the device's first boot-up.
...
...

The bug can be exploited remotely
This "backdoor" vulnerability (CVE-2018-0150) is considered critical and has a severity score of 9.8 out of 10.

Attackers can log into this account remotely, and don't necessarily need physical access to the device. The account grants the attacker a "privilege level 15 access," a term used to describe high-privileged accounts.
....
....