Issue could allow an unauthenticated, remote attacker to gain unauthorized access to affected devices.
Score one for the good guys: Cisco has caught its own security vulnerability and has already issued a patch to prevent hackers from exploiting a flaw in as many as twelve of its voice-activated OS products.
According to a statement from the company, “When a refresh upgrade or PCD migration is completed successfully, an engineering flag remains enabled and could allow root access to the device with a known password. If the vulnerable device is subsequently upgraded using the standard upgrade method to an Engineering Special Release, service update, or a new major release of the affected product, this vulnerability is remediated by that action.”
Root access state
To be clear, the original products themselves seem to be secured. It’s only when users download the update to their favorite Cisco products–a commonly advised step, considering the numbers of updates that are intended to fix security holes–that the vulnerability crops up, one that has been labeled as Critical by the developer. Hackers could potentially work their way into the now-unsecured software by entering while in its root access state.
The patch has already been issued, but this incident speaks to the higher need for consumers and tech users at every level to enact good cybersecurity practices. While the update itself seems to have opened the door to malicious activity, the follow-up patch remedies the situation; a casual user who doesn’t stay on top of their update activity could inadvertently expose the flaw then fail to close it by not monitoring their updates.
Some of the affected Cisco products include Cisco Prime License Manager, Cisco SocialMiner, Cisco Emergency Responder, and Cisco MediaSense. “If the vulnerable device is subsequently upgraded using the standard upgrade method to an Engineering Special Release, service update, or a new major release of the affected product, this vulnerability is remediated by that action.”