CVE-2024-20419

Summary

A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco Smart Software Manager On-Prem8-202206affected

Weaknesses

  • CWE-620: Unverified Password Change

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

CVE Program Container

Additional References

References