Cisco issued security patches to address a Cisco Emergency Responder (CER) vulnerability that permitted attackers to use hard-coded credentials to log into unpatched systems.CER enables precise location tracking of IP phones, enabling emergency calls to be routed to the proper Public Safety Answering Point (PSAP), aiding companies in responding to emergencies successfully.
The security hole, identified as CVE-2023-20101, enables unauthenticated attackers to gain access to a targeted device using the root account, which had pre-set, static credentials that couldn’t be changed or eliminated. In a statement released today, Cisco stated that the vulnerability was caused by the root account’s use of static user credentials, which are normally saved for use during development.