Cisco has released a security update to address a critical vulnerability found in the High Availability (HA) service of the Cisco Smart Software Manager On-Prem (CVE-2020-3158). This vulnerability exists due to the disclosure of an embedded default system account that has a hardcoded password which is not under the control of the system administrator. Attackers are able to exploit this vulnerability by using the default account to access the affected system. It has a Common Vulnerability Score System (CVSS) v3.0 severity base score of 9.8 out of 10.
Cisco Smart Software Manager On-Prem releases earlier than 7-202001 with the HA feature enabled. The HA feature is not enabled by default.
Successful exploitation of this vulnerability could allow an attacker to obtain read and write access to the system data, including access to configure the affected system. However, the attacker would not be able to gain full administrative rights to control the system.
System administrators of the affected products are advised to install the latest security updates immediately.
More details on the security alert can be found at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-on-prem-static-cred-sL8rDs8.