BleepingComputer reports that patches have been issued by Cisco for a maximum severity flaw impacting its Smart Software Manager On-Prem license servers and older installations of SSM On-Prem, also known as Cisco Smart Software Manager Satellite.
Such a vulnerability, tracked as CVE-2024-20419, could be exploited to facilitate web UI or API access and eventually allow the unauthenticated creation of new user passwords, according to Cisco. "This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device," said Cisco, which has not observed any active abuse of the flaw. Cisco's fixes come weeks after it addressed an NX-OS zero-day, tracked as CVE-2024-20399, leveraged in malware attacks against MDS and Nexus switches. Another pair of Cisco zero-days, tracked as CVE-2024-20353 and CVE-2024-20359, were also noted by the firm to have been leveraged in attacks by the China-linked threat operation Storm-1849, also known as UAT4356.
