Cisco admits to leaving a backdoor open

Cisco – a company that likes to remind us how much of their hardware makes up the infrastructure of the internet – has released a statement warning that an “unintentional debugging credential” has not been removed from some of their devices before they were sold. This affects devices found in service providers infrastructure.

What does this mean? The Register states it quite well “It kinda smells like a backdoor left in by engineers for testing.”. With this credential a bad actor can get full control of the device with root access.

Cisco reveals ‘unintentional debugging credential’ flaw • The Register

On the plus side of the announcement, for it to be exploited the Telnet function for the device would need to be enabled – something that is disabled when the units ship. Cisco rates this issue as critical.

The Cisco Advisory:

Cisco Catalyst PON Series Switches Optical Network Terminal Vulnerabilities