A web site blackout prevented Cisco customers downloading 21 critical security patches for about three hours, shortly after the patches were released.
Updates for nearly two dozen vulnerabilities in IOS, Cisco router operating system, were released around 4pm on Wednesday. Cisco's web sited went dark around three hours later and didn't come back until about 10pm.
Cisco has now blamed "human error" for the downtime, and added that the severity of the resulting electrical overload prevented the redundant systems from kicking in.
The 21 patches, spread over four updates, repair IOS against a swath of vulnerabilities, some of which could let attackers inject their own malicious code into Cisco hardware. Three of the four IOS updates, according to Cisco's advisories, plug holes that attackers might be able to exploit with remote code.
Internet Storm Center analyst Tom Liston ranked two of the four - "Secure Copy Authorization Bypass Vulnerability" and "Voice Vulnerabilities in Cisco IOS" - as especially dangerous, and urged administrators to patch them as soon as possible.
Of the bypass update, Liston said: "[The attacker] needs a log-in, but after that, it's pretty much game-over." The 16 bugs quashed by the voice vulnerabilities update are even scarier, he said. "The others can potentially wait for testing, this [set] can't. Patch now."
Danish vulnerability tracker Secunia, however, rated the bypass bug as "less critical," the second step in its five-mark scoring system, and tagged the voice flaws as "moderately critical," its middle rank.
Find your next job with computerworld UK jobs