Cisco patched authentication, privilege escalation, and denial-of-service vulnerabilities this week in several of its products, including one that’s used for identifying the location of 9-1-1 emergency callers.

The flaw in Cisco Emergency Responder is caused by the presence of default static credentials for the root account that were used during development but were never removed. Users cannot change or remove these credentials, presenting a permanent backdoor that would allow attackers to execute commands on the affected systems with the highest possible privileges.