Switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with directly connected switches using Spanning-Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)—all untagged traffic. As a consequence, the default VLAN may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly.
Review the switch configuration and verify that the default VLAN is not used to access the switch for management. If the default VLAN is being used to access the switch, this is a finding.
Configure the switch for management access to use a VLAN other than the default VLAN.