Unrated severityNVD Advisory· Published Feb 19, 2020· Updated Nov 15, 2024

Cisco IOS XE SD-WAN Software Default Credentials Vulnerability

CVE-2019-1950

Description

A vulnerability in Cisco IOS XE SD-WAN Software could allow an unauthenticated, local attacker to gain unauthorized access to an affected device. The vulnerability is due to the existence of default credentials within the default configuration of an affected device. An attacker who has access to an affected device could log in with elevated privileges. A successful exploit could allow the attacker to take complete control of the device. This vulnerability affects Cisco devices that are running Cisco IOS XE SD-WAN Software releases 16.11 and earlier.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cisco IOS XE SD-WAN Software releases 16.11 and earlier contain default credentials allowing unauthenticated local attackers to gain full device control.

Vulnerability

Cisco IOS XE SD-WAN Software retains default credentials in its default configuration. An unauthenticated local attacker who can access the device's console or CLI can use these credentials to log in. Affected releases are 16.11 and earlier [1].

Exploitation

The attacker requires physical or console access to the device; no authentication is needed to initiate the login. The attacker simply connects to the device's management interface and authenticates with the well-known default credentials [1].

Impact

Successful exploitation grants the attacker elevated privileges. The attacker can then gain full administrative control over the device, potentially leading to complete compromise of the affected system [1].

Mitigation

Cisco has released fixed software versions. Customers should upgrade to a patched release. No workaround is available. Customers with service contracts can obtain updates through normal channels; those without contracts should contact Cisco TAC [1].

References

Cisco Security Advisory: Cisco IOS XE SD-WAN Software Default Credentials Vulnerability

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Cisco Systems, Inc./IOS XE SD-WAN Softwarellm-create
Range: <=16.11
Cisco Systems, Inc./IOS XE Software for Cisco Merakicpe-rescue
Range: 16.11 and earlier

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-cred-EVGSF259mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000