Cisco Small Business Switch software exists a critical vulnerability (CVE-2018-15439), which allows an attacker to remotely control the device without authentication. The vulnerability has a CVSS severity of 9.8, which is related to default configurations such as privileged user accounts on the device. Privileged user accounts are created for initial login and cannot be removed from Cisco Small Business Switch devices.
According to the security advisory published by Cisco, “A vulnerability in the Cisco Small Business Switches software could allow an unauthenticated, remote attacker to bypass the user authentication mechanism of an affected device.
The vulnerability exists because under specific circumstances, the affected software enables a privileged user account without notifying administrators of the system. An attacker could exploit this vulnerability by using this account to log in to an affected device and execute commands with full admin rights.”
One of the solutions announced by Cisco is to add a user account with a level 15 access level to the device configuration to disable privileged accounts. Users can configure the new account with the admin as the user ID, set the access level to 15 and replace the strong password with a complex password.
Affected Cisco switches include Cisco Small Business 200 Series Smart Switches, Cisco Small Business 300 Series Managed Switches, Cisco Small Business 500 Series Stackable Managed Switches, Cisco 250 Series Smart Switches, Cisco 350 Series Managed Switches, Cisco 350X Series Stackable Managed Switches, and Cisco 550X Series Stackable Managed Switches.