The first problem is with the Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G and 7971G devices. The phones contain a hard-coded default user account with a default password that's remotely accessible via a Secure Shell (SSH) server enabled on the phone.
"This default user account may be leveraged to gain administrative access to a vulnerable phone via a privilege escalation vulnerability," Cisco warned. "The default user account may also execute commands causing a phone to become unstable and result in a denial of service."
The company has made free software available to address the flaws.
Researchers also found a series of flaws in the Cisco Unified IP Conference Station and IP phone devices.
According to Cisco:
The Cisco advisory offers a breakdown of the flaws it has fixed as well as those for which a patch is in development.
In addition to the IP phone issues, the company said it has fixed a flaw in its Cisco Secure Services Client (CSSC). CSSC is a software client that enables customers to deploy a single authentication framework using the 802.1X authentication standard across multiple device types to access both wired and wireless networks. A lightweight version of the CSSC client is also a component of the Cisco Trust Agent (CTA) within the Cisco Network Admission Control (NAC) Framework solution.
Cisco said these products are affected by multiple vulnerabilities, including privilege escalations and information disclosure.