cbcvebase.
CVE-2018-0150
published 2018-03-28

CVE-2018-0150: A vulnerability in Cisco IOS XE Software could allow an unauthenticated, remote attacker to log in to a device running an affected release of Cisco IOS XE…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
4.82%
90.9th percentile
A vulnerability in Cisco IOS XE Software could allow an unauthenticated, remote attacker to log in to a device running an affected release of Cisco IOS XE Software with the default username and password that are used at initial boot, aka a Static Credential Vulnerability. The vulnerability is due to an undocumented user account with privilege level 15 that has a default username and password. An attacker could exploit this vulnerability by using this account to remotely connect to an affected device. A successful exploit could allow the attacker to log in to the device with privilege level 15 access. This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software Release 16.x. This vulnerability does not affect Cisco IOS XE Software releases prior to Release 16.x. Cisco Bug IDs: CSCve89880.

Affected

2 ranges
VendorProductVersion rangeFixed in
ciscoios_xe
ciscoios_xe

Detection & IOCsextracted from sources · hover to see the quote

  • Detect use of the undocumented privilege level 15 default account introduced in Cisco IOS XE Software Release 16.x by monitoring for unexpected successful logins with privilege level 15 credentials at initial boot defaults.
  • Scope detection to Cisco IOS XE Software Release 16.x only; releases prior to 16.x are not affected and should not trigger alerts for this CVE.
  • Alert on unauthenticated remote login attempts to Cisco IOS XE devices that succeed with privilege level 15 access, which is indicative of exploitation of the static/hardcoded credential.
  • ·The vulnerability involves a hardcoded/static credential (CWE-798) for an undocumented account. Verify affected devices are running IOS XE Release 16.x and check for the presence of the undocumented user account (Bug IDs: CSCve89880, CSCve76719). Workarounds exist per the Cisco advisory.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
vendor_cisco9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.