yes, in this instance it turned out to be "not an actual issue".
But no-one at Cisco seemed to be aware of it until alerted, and it was discovered by a product team looking specifically for IoT security vulnerabilities. It's clear that Cisco aren't auditing their third-party dependencies thoroughly. It could easily have been a vulnerability. They got lucky.
And yeah, it's not a new problem, but there does seem to be growing awareness of it, which is both good (because a solution will be found), and bad (because the bad people will be more aware of the opportunity).
But no-one at Cisco seemed to be aware of it until alerted, and it was discovered by a product team looking specifically for IoT security vulnerabilities. It's clear that Cisco aren't auditing their third-party dependencies thoroughly. It could easily have been a vulnerability. They got lucky.
And yeah, it's not a new problem, but there does seem to be growing awareness of it, which is both good (because a solution will be found), and bad (because the bad people will be more aware of the opportunity).