Cisco has released patches to address a maximum-severity security flaw impacting Smart Software Manager On-Prem (Cisco SSM On-Prem) that could enable a remote, unauthenticated attacker to change the password of any users, including those belonging to administrative users.
The vulnerability, tracked as CVE-2024-20419, carries a CVSS score of 10.0.
“This vulnerability is due to improper implementation of the password-change process,” the company said in an advisory. “An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.”
The shortcoming affects Cisco SSM On-Prem versions 8-202206 and earlier. It has been fixed in version 8-202212. It’s worth noting that version 9 is not susceptible to the flaw.
Cisco said there are no workarounds that resolve the issue, and that it’s not aware of any malicious exploitation in the wild. Security researcher Mohammed Adel has been credited with discovering and reporting the bug.
CISA Adds 3 Flaws to KEV Catalog
The disclosure comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation –
- CVE-2024-34102 (CVSS score: 9.8) – Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability
- CVE-2024-28995 (CVSS score: 8.6) – SolarWinds Serv-U Path Traversal Vulnerability
- CVE-2022-22948 (CVSS score: 6.5) – VMware vCenter Server Incorrect Default File Permissions Vulnerability
CVE-2024-34102, which is also referred to as CosmicSting, is a severe security flaw arising from improper handling of nested deserialization, allowing attackers to achieve remote code execution. A proof-of-concept (PoC) exploit for the flaw was released by Assetnote late last month.
Reports about the exploitation of CVE-2024-28995, a directory transversal vulnerability that could enable access to sensitive files on the host machine, were detailed by GreyNoise, including attempts to read files such as /etc/passwd.
The abuse of CVE-2022-22948, on the other hand, has been attributed by Google-owned Mandiant to a China-nexus cyber espionage group known as UNC3886, which has a history of leveraging zero-day flaws in Fortinet, Ivanti, and VMware appliances.
Federal agencies are required to apply mitigations per vendor instructions by August 7, 2024, to secure their networks against active threats.