> .. allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user.<p>> The vulnerability is due to the presence of a default SSH key pair that is present in all devices.<p>That's quite a bug -- I expected to see obscure exploit deep in the networking code which masterfully bypasses all code hardening, but found a default credentials instead. This is the kind of mistake that a random IoT company would do, I would not expect this from Cisco.
I don't understand how this could happen in 2019. There were multiple people involved who coded, reviewed, tested the code, signed off on the release.<p>The other possible explanation is that it's intentional.