Cisco routers preconfigured for SDM have default username/password cisco/cisco. As many users forget to disable or change the default username after configuring their router with SDM, they could end up with an exposed router.
Cisco has patched this vulnerability in IOS release 12.4(11)T that includes the one-time password/secret option of the username command, allowing you to define a username/password combination that can be used only once.For example, the username cisco one-time secret cisco would define the default username that can be used only for single access to the router. After the first login, the username disappears from the running configuration and thus cannot be reused.
There are, however, two caveats associated with this feature:
- If you log into the router using any other username, the one-time username remains valid (it's not removed on the first successful login to the box, which would make more sense in the SDM context);
- The one-time username is removed only from the running configuration, if you don't save the new configuration to the NVRAM, the username will reappear after the router reload.