On September 19, Cisco officially issued a notice saying that there is a high-risk vulnerability (CVE-2018-0150) in IOS XE Software. The vulnerability originated from an unrecorded user account with a default username and password and a privilege level of 15. An unauthorized attacker could use this account to remotely connect to an affected device to exploit this vulnerability. Successful exploitation may allow an attacker to log in to the device with privilege level 15 access.
The vulnerability CVSS score is as follows:
CVSS 3.0: 9.8
AV: N/AC: L/PR: N/UI: N/S: U/C: H/I: H/A: H/E: X/RL: X/RC: X
- Cisco IOS XE 16.5.x version < 16.5.2
- Cisco IOS XE 16.6.x version < 16.6.1
- Cisco IOS XE running on ISRv
- Cisco IOS XE version < 16.x
- Cisco IOS XE version 16.5.2
- Cisco IOS XE version 16.6.1
Note: For details on Cisco IOS XE ISRv, please refer to the official description.
It is recommended that affected users update the upgrade for protection. In addition, the system administrator can use the no username cisco command to remove the default account; or log in to the device to change the password of this default account.
For Cisco ISRv, administrators can remove old packages from the datastore and then perform ISRv packages updates for protection.