Cisco has issued a critical update for its Video Surveillance Manager (VSM) appliance to fix a default password vulnerability.

If exploited the vulnerability could allow an unauthenticated user to log in using the root account, which has default, static user credentials allowing the attacker to execute arbitrary commands as the root user, Cisco reported. The issue has been patched with VSM version 7.12, which can be downloaded here.

The issue, CVE-2018-15427, affects VSM versions 7.10, 7.11, and 7.11.1, but only when the software is preinstalled by Cisco and running on the following Cisco Connected Safety and Security Unified Computing System platforms:

  • CPS-UCSM4-1RU-K9
  • CPS-UCSM4-2RU-K9
  • KIN-UCSM5-1RU-K9
  • KIN-UCSM5-2RU-K9