Vulnerability Note VU#659228
Cisco WLSE and HSE devices contain hardcoded username and password
A default account with a common username and password exists in two Cisco products. An attacker with knowledge of this account information can compromise any of these devices on the network.
A default account with a known, fixed username and password combination exists in some version of the Cisco Wireless LAN Solution Engine (WLSE) and Cisco Hosting Solution Engine (HSE). The WLSE provides centralized management for Cisco Wireless LAN infrastructures. The HSE is a hardware-based product that provides fault and performance information about the Layer 2-3 hosting infrastructure and Layer 4-7 hosted services.
According to the Cisco Security Advisory:
An attacker with knowledge of default account information and the ability to access a vulnerable device may take administrative control of the device. Immediate impacts of this level of access include, but are not limited to, the ability to add new users or modify details of existing users, and the ability change the device's configuration. Cisco lists the following practical examples of impacts resulting from exploitation:
Apply a patch from the vendor
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Cisco Systems Inc.||Affected||-||08 Apr 2004|
CVSS Metrics (Learn More)
Thanks to Cisco Systems Product Security Incident Response Team for reporting this vulnerability.
This document was written by Chad R Dougherty.
- CVE IDs: Unknown
- Date Public: 07 Apr 2004
- Date First Published: 07 Apr 2004
- Date Last Updated: 22 Apr 2004
- Severity Metric: 18.23
- Document Revision: 16
If you have feedback, comments, or additional information about this vulnerability, please send us email.