Cisco has released a patch to fix a maximum-severity vulnerability found on the company’s Smart Software Manager On-Prem instances.
The networking giant had added there are no workarounds for the flaw, so users should patch immediately, as the vulnerability could allow malicious actors to change the password of any user, administrators included, which could, in some scenarios, result in data theft, and possibly even ransomware attacks.
The vulnerability is tracked as CVE-2024-20419, and has a “perfect” severity score – 10.
Managing Cisco software licenses
“This vulnerability is due to improper implementation of the password-change process,” Cisco said in an advisory bulletin. “An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.”
The Cisco Smart Software Manager On-Prem (SSM On-Prem) is a solution enabling organizations to manage their Cisco software licenses and entitlements within their own network environment (as opposed to the cloud). It offers a centralized, on-premises system for administering Cisco Smart Licensing, which helps customers track and manage their software assets effectively.
In its writeup, ArsTechnica said that it wasn’t entirely clear what hackers could do by abusing the flaw, and speculated that the web user interface and application programming interface could allow them to pivot to other Cisco devices connected to the same network. From there, they could steal data, run ransomware attacks, and similar.
So far, there is no evidence of the vulnerability being exploited in the wild.
Cisco is a popular networking gear manufacturer, which also makes it a major target for cyberattacks. In late April this year, unidentified, sophisticated threat actors, possibly affiliated with nation-states in the East, were found abusing two flaws in Cisco VPNs and firewalls, to drop malware used for espionage. Their targets included governments and critical infrastructure networks all around the world.
A month earlier, the company patched a high-severity flaw in one of its software products which could have been leveraged to open a VPN session with a target endpoint.