CVE-2018-0150 — Hard-coded Credentials in Cisco IOS XE

CWE-798 — Hard-coded Credentials5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

2.9%

top 13.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco IOS XE

Timeline

PublishedMar 28

Latest updateMay 13

Description

A vulnerability in Cisco IOS XE Software could allow an unauthenticated, remote attacker to log in to a device running an affected release of Cisco IOS XE Software with the default username and password that are used at initial boot, aka a Static Credential Vulnerability. The vulnerability is due to an undocumented user account with privilege level 15 that has a default username and password. An attacker could exploit this vulnerability by using this account to remotely connect to an affected de…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDcisco/ios_xe16.5.1

🔴Vulnerability Details

GHSA

GHSA-wpq9-4577-qx62: A vulnerability in Cisco IOS XE Software could allow an unauthenticated, remote attacker to log in to a device running an affected release of Cisco IO↗2022-05-13

▶

CVEList

CVE-2018-0150: A vulnerability in Cisco IOS XE Software could allow an unauthenticated, remote attacker to log in to a device running an affected release of Cisco IO↗2018-03-28

▶

VulnCheck

Cisco ios_xe Use of Hard-coded Credentials↗2018

▶

📋Vendor Advisories

Cisco

Cisco IOS XE Software Static Credential Vulnerability↗2018-03-28

▶