Cisco Systems, Inc. announced they configured their servers wrongly by using a password that would prevent access to the Cisco Integrated Management Controller.
“A number of C-Series servers have shipped to customers with a non-standard default password which prevents access to the Cisco Integrated Management Controller unless the configured password is provided,” Cisco explained in its advisory. Cisco, put out a field notice explaining that the default password is Cisco 1234.
“Customers might not be able to log in to their C-Series servers with the published default admin password ‘password’ since this has been changed to ‘Cisco1234’ for these systems,” the advisory added.
Using a password that is ‘password’ whether default or not at the manufacturing end is in itself a gaping hole and an easy access to hackers. More information on reducing risks.
As a security blogger said, “It should go without saying that as soon as you gain access to your shiny new Cisco box you should reset the password. But not to ‘password.’ Obviously. If you stick with the default password that a product ships with you’re just asking for trouble.”
Cisco provided no reason for the default password change. Here’s the field notice from Cisco.