Cisco has released a patch to address a highest severity vulnerability found in the company’s Smart Software Manager On-Prem instances.
The networking giant said there are no workarounds for the vulnerability and that users should therefore immediately install a patch. The vulnerability allows malicious actors to change the password of any user, including administrators. In some cases, this could lead to data theft and possibly even ransomware attacks.
The vulnerability is tracked as CVE-2024-20419 and has a “perfect” severity score of 10.
Manage Cisco software licenses
“This vulnerability is due to an improper implementation of the password change process,” Cisco said in an advisory bulletin. “An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.”
Cisco Smart Software Manager On-Prem (SSM On-Prem) is a solution that enables organizations to manage their Cisco software licenses and entitlements within their own network environment (as opposed to the cloud). It provides a centralized, on-premises system for managing Cisco Smart Licensing, enabling customers to effectively track and manage their software assets.
In his report, ArsTechnica said it wasn’t entirely clear what hackers could do by exploiting the flaw, speculating that the web user interface and application programming interface would allow them to hop over to other Cisco devices connected to the same network. From there, they could steal data, launch ransomware attacks, and the like.
There is no evidence so far that this vulnerability is being exploited in the wild.
Cisco is a popular manufacturer of networking equipment, which also makes it a prime target for cyberattacks. In late April of this year, unknown, sophisticated threat actors, possibly affiliated with nation states in the East, were caught exploiting two flaws in Cisco VPNs and firewalls to drop malware used for espionage. Their targets included government and critical infrastructure networks around the world.
A month earlier, the company had patched a high-severity flaw in one of its software products that could be exploited to open a VPN session with a specific endpoint.