CVE-2024-20419
CRITICAL EPSS 99.6%
Published Jul 17, 20241y ago · Modified Jun 17, 20261w ago
10.0 CVSS 3.1
Published Jul 17, 2024 1y ago
Last Modified Jun 17, 2026 1w ago
Description
A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
99.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-620
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| cisco | smart_software_manager_on-prem | * | <8-202112 |
References 2
- sec.cloudapps.cisco.com https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy
- secpod.com https://www.secpod.com/blog/critical-flaw-in-ciscos-secure-email-gateways-allows-attackers-to-control-the-device-completely/
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.