Cisco has revealed a critical-rated vulnerability in its small business switches software that if exploited can allow a remote attacker to bypass the device’s user authentication mechanism.

The vulnerability in version 1.4.9.04 of the Cisco software exists because under specific circumstances, the affected software enables a privileged user account without notifying administrators of the system. An attacker could exploit this vulnerability by using this account to log in to an affected device and execute commands with full admin rights, the company said in an advisory.

The products involved are the:

  • Cisco Small Business 200 Series Smart Switches
  • Cisco Small Business 300 Series Managed Switches
  • Cisco Small Business 500 Series Stackable Managed Switches
  • Cisco 250 Series Smart Switches
  • Cisco 350 Series Managed Switches
  • Cisco 350X Series Stackable Managed Switches
  • Cisco 550X Series Stackable Managed Switches

At this time there is no patch available, but Cisco has issued a workaround.

“The workaround consists of adding at least one user account with access privilege set to level 15 in the device configuration,” the company said.