Vulnerability in Cisco Smart Software Manager lets attackers change any user password
arstechnica
|
Contributed by: Drex DeFord
Summary
Cisco announced a critical vulnerability in its Smart Software Manager On-Prem devices, allowing unauthenticated remote attackers to change any user's password, including administrators'. The vulnerability, identified as CVE-2024-20419 and rated with the highest severity score of 10, stems from improper password change process implementation. Exploiting it via crafted HTTP requests grants the attacker web UI or API access with the compromised user’s privileges. No immediate workarounds are available, but a security update has been released that addresses the issue. Cisco reports no current evidence of active exploitation.
