What credentials are used on the SNMP vulnerability scan on Cisco devices?
For a vulnerability scan, the authentication on SNMP is based on a password called a "community string". Each "community string" may be configured inside the SNMP daemon that runs on the device to have access to different "Views" of the information available on the MIB.
The user provides the community strings for the authentication records using the QualysGuard web interface. Besides the community strings provided by the user, the scan tries several default community strings such as public, private, system, test, admin, access, and many more.
Currently "ENABLE" password or enabled access is not supported in Cisco/Unix Auth. As you can see from the current commands we run basically "sh" commands so ENABLED rights are not necessary. If the "Password Brute Forcing" option is checked within the option profile, the system will also try some other common names. The more information that is available for the given community string, the more accurate the scan will be.
Qualys Support KnowledgeBase