A vulnerability in the Cisco Common Services Platform Collector (CSPC) could allow an unauthenticated, remote malicious user to access an affected device by using an account that has a default, static password. This account does not have administrator privileges. The vulnerability exists because the affected software has a user account with a default, static password. An attacker could exploit this vulnerability by remotely connecting to the affected system using this account. A successful exploit could allow the malicious user to log in to the CSPC using the default account. For Cisco CSPC 2.7.x, Cisco fixed this vulnerability in Release 220.127.116.11. For Cisco CSPC 2.8.x, Cisco fixed this vulnerability in Release 18.104.22.168.
Cisco Systems is warning customers that a discovery tool for network devices can be accessed by a remote and unauthenticated attacker. The flaw could allow an adversary to log into the system and collect sensitive data tied to host operating systems and hardware.
The disclosure is part of a Cisco Security Advisory and patch (CVE-2019-1723) issued Wednesday. The vulnerability is rated critical, with a CVSS rating of 9.8.
Affected is the Cisco Common Service Platform Collector (CSPC), ...