The flaw has been admitted to by Cisco: “The vulnerability is due to the presence of a default authorised SSH key that is shared across all the installations of WSAv, ESAv and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv or SMAv."
Exploitation of the flaws could allow an "unauthenticated, remote attacker to decrypt and impersonate secure communication between any virtual content security appliance.”
There are already patches available for this flaw and Cisco is recommending customers update this as soon as possible (of course). Still some are wondering how a flaw like this existed in a security product at all. It seems like a serious case of laziness to us, while others are concerned that the slip was to allow access into Cisco products by the NSA or other law enforcement agencies. Although the latter is certainly plausible given the revelation by Edward Snowden of Cisco’s cooperation with the NSA, it might not be the case at all. This could simply have been a case of pushing a product out using the same base template. When you are dealing with virtual appliances it can cut development time if you use the same basic template for the OS and drop in the features that you need.
This flaw is a serious one and while we do not want to think Cisco risked their customers’ data like this just to keep the NSA happy. However, if this was laziness… it is just as bad. If you have one of these running in your corporate environment we suggest you update now. If the red team did not know about this flaw before, they do now and your data is very much at risk.