Cisco unknowingly shipped 42 server models with changed default admin password for seven weeks
Cisco, the biggest provider of networking equipment in the world, managed to ship a bunch of servers with the wrong default password for the admin account for a period of seven weeks without noticing it, claims The Register.
“A number of C-Series servers have shipped to customers with a non-standard default password which prevents access to the Cisco Integrated Management Controller (CIMC) unless the configured password is provided,” the Borg says in a new Field Notice.
The company, which usually secures all administrative accounts with the default admin password – “password”, have ended up delivering 42 server models with the “Cisco1234” admin password instead.
As a result, the customers were prevented from accessing the device’s CIMC says Cisco. After receiving complaints from the customers, Cisco started their investigation.
The company then corrected the issue after identifying the default password, by changing the password that comes coded into the devices to reflect the same as included in the devices’ technical manuals.
All the 42 affected server models that were manufactured between November 17, 2015, and January 6, 2016 was misconfigured says Cisco.
A public advisory for this issue has been issued by Cisco, wherein they have advised network admins to change this default password for this type of equipment in their network to something more secure as soon as possible.
It is doubtful that any affected equipment was deployed to sensitive infrastructure without being configured in advance, since network admins didn’t have CIMC access. However, some may still be online, and can be compromised with backdoors before being deployed. Looks like hackers won’t wait long to exploit these vulnerabilities.