A default configuration allows full admin access to unauthenticated attackers.
A critical and unpatched vulnerability in the widely deployed Cisco Small Business Switch software leaves the door open to remote, unauthenticated attackers gaining full administrative control over the device – and therefore the network.
Cisco Small Business Switches
were developed for small office and home office (SOHO) environments, to manage and control small local area networks with no more than a handful of workstations. They come in cloud-based, managed and unmanaged “flavors,” and are an affordable (under $300) solution for resource-strapped small businesses.
The vulnerability (CVE-2018-15439), which has a critical base CVSS severity rating of 9.8, exists because the default configuration on the devices includes a default, privileged user account that is used for the initial login and cannot be removed from the system.
... ... ...