The company said both its Wireless LAN Solution Engine and its Hosting Solutions Engine ship with default username and password pairs that are hard-coded into the software and cannot be changed by users. This means that any user who can log into one of the applications will have complete control over whatever devices the application manages.
It also opens up other attack scenarios. For example, an attacker could log into the WLSE and change access rights and permissions for users or set up his own access point on the network and hide it, giving him the ability to listen in on the networks traffic.
Customers use the WLSE to manage all of the devices in Ciscos wireless LAN product line, including access points and stations. The HSE is designed to help monitor services in data centers. Versions 2.0, 2.0.2 and 2.5 of the WLSE are vulnerable, and HSE 1.7, 1.7.1, 1.7.2 and 1.7.3 are affected as well.
Cisco officials said the problem was the result of someone forgetting to change the default username and password, which are used during development, before the products shipped to customers. They noted, however, that the company has not had any reports of customers being attacked as a result of this vulnerability.
A company official could not say why each of the vulnerable products went through several releases before the problem was discovered.
Cisco, based in San Jose, Calif., released patches that fix this vulnerability. There is no workaround for this issue.
Editors Note: This story was updated to include further information from the company.