Cisco has released patches for a critical security flaw in its Smart Software Manager On-Prem (Cisco SSM On-Prem), identified as CVE-2024-20419. This vulnerability, which carries a maximum CVSS score of 10.0, allows remote, unauthenticated attackers to change the passwords of any users, including administrative accounts, by sending specially crafted HTTP requests to an affected device. This exploit grants attackers access to the web UI or API with the privileges of the compromised user. The vulnerability stems from improper implementation of the password-change process and affects Cisco SSM On-Prem versions 8-202206 and earlier.
The issue has been resolved in version 8-202212, and Cisco has confirmed that version 9 is not susceptible to this flaw. Cisco has also noted that there are no workarounds available for this vulnerability and has advised users to apply the patches immediately. Security researcher Mohammed Adel is credited with discovering and reporting this significant bug. Currently, Cisco has not observed any instances of the vulnerability being exploited in the wild, but the potential for severe impact underscores the urgency for users to update their systems.
In related news, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. These vulnerabilities include CVE-2024-34102, an Adobe Commerce and Magento Open Source XXE vulnerability with a CVSS score of 9.8; CVE-2024-28995, a path traversal vulnerability in SolarWinds Serv-U with a CVSS score of 8.6; and CVE-2022-22948, a VMware vCenter Server incorrect default file permissions vulnerability with a CVSS score of 6.5.
CVE-2024-34102, also known as CosmicSting, allows attackers to achieve remote code execution through improper handling of nested deserialization. A proof-of-concept exploit for this flaw was released by Assetnote last month. GreyNoise has reported attempts to exploit CVE-2024-28995, with attackers trying to access sensitive files like /etc/passwd. CVE-2022-22948 has been linked to a China-based cyber espionage group, UNC3886, known for leveraging zero-day flaws in Fortinet, Ivanti, and VMware appliances. Federal agencies are required to implement mitigations per vendor instructions by August 7, 2024, to secure their networks against these active threats.
Reference:
