IP and Mobile Trends and Education


Cisco IOS XE Static Credential Vulnerability (Catalyst Switches, ISR4k and ASR1k Routers)



Cisco has stated that there is a vulnerability in Cisco IOS XE 16.X version (bug does not affect releases prior IOS XE 16.X)  that allows remote attacker to log in to the system with privilege 15 with default username cisco. This bug affects the platforms supported by IOS XE software, inter alia following:


  • Catalyst 9500, 9300 switches
  • Catalyst 3650, 3850 switches
  • ISR 4200, 4300, 4400 routers
  • ASR 1000 routers
  • ISRv, CSR1000v


If you have one of these and show version displays the following output:

router# show version
--- output omitted ---- (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1

Immediately upgrade the system or use the workaround.


Possible direct workarounds:

  • delete an account by issuing no username cisco command in configuration mode
  • change the password for cisco user
  • to upgrade the IOS XE version to get rid of this vulnerability check the bug toolkit


Affected releases (as of 10 April 2018):
  • 16.5.1
  • Everest-16.5.1

Known fixed releases (as of 10 April 2018):

  • Everest-16.6.1
  • Everest-16.6.1a
  • Everest-16.5.2
  • 16.7(0.78)
  • 16.6.1
  • 16.6.1a
  • 16.6(0.238)
  • 16.5.2
  • 16.5(1.67)


The vulnaribility is described as critical and received score 9.8:

  • The Cisco bug id is: CSCve89880
  • CVSS score: 9.8
  • Vulnerability: CVE-2018-0150






Marcin Bialy

Marcin Biały is Network and Security Architect with over 10 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CSSI, FCNSP, FCNSA and more.

Leave a Reply

Your email address will not be published. Required fields are marked *