Cisco has released a patch for a vulnerability that allows hackers to change admin passwords in its Smart Software Manager (SSM) On-Prem service and its earlier version, Cisco SSM Satellite. Named CVE-2024-20419, the bug carries a CVSS 3.1 rating of 10 out of 10 – the highest possible score for a software vulnerability. Cisco urged users of its SSM On-Prem service to update their software immediately, adding that no workarounds are currently available.
The bug “could allow an unauthenticated, remote attacker to change the password of any user, including administrative users,” said the networking firm. “This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device.”
CVE-2024-20419 carries maximum severity
SSM On-Prem is a means by which Cisco users can register their licenses online. Using the software, said the company in a recently published white paper, “ensures that customers have the right to use the software features they’ve purchased without having to manage complex license files or activation codes.” The solution, Cisco added, is widely used by financial services and government organisations.
Cisco added that the successful exploitation of CVE-2024-20419 could allow an attacker to access the online user interface or API for its SSM On-Prem service using the privileges afforded to the original compromised user. Despite this, the firm said it was unaware of “any public announcements or malicious use of the vulnerability” so far.
Cisco positioning itself as AI security leader
Cisco’s patch for CVE-2024-20419 was one of 10 published yesterday for vulnerabilities the firm classified from ‘medium’ to ‘severe.’ These included a bug in the firm’s Secure Email Gateway service allowing attackers to overwrite arbitrary files on the target’s underlying operating system, potentially allowing them to cause a permanent denial of service condition on their device that would require manual intervention to fix.
News of CVE-2024-20419 comes amid strenuous efforts by Cisco to position itself as a pioneer of AI-powered network security. In June, the firm announced its creation of a $1bn AI investment fund, having already poured $200m into a range of AI startups. This followed the debut of its AI-powered ‘HyperShield,’ the deployment of which in multiple network nodes Cisco claimed would allow corporations to thwart any lateral movement by threat actors through that networking infrastructure.