Cisco has released patches to address a maximum severity security flaw affecting Smart Software Manager On-Prem (Cisco SSM On-Prem) that could allow a remote, unauthenticated attacker to change the password of any user, including those belonging to administrative users .
Vulnerability, tracked as CVE-2024-20419has a CVSS score of 10.0.
“This vulnerability is related to an incorrect implementation of the password change process,” the company said in a statement said in the consulting room. “An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access a web interface or API with the privileges of the compromised user.”
The vulnerability affects Cisco SSM On-Prem versions 8-202206 and earlier. This was fixed in version 8-202212. It should be noted that version 9 is not prone to flaws.
Cisco said that there are no workarounds to address this issue, and that it is not aware of any malicious exploits in the wild. Security researcher Mohamed Adel is credited with discovering and reporting the bug.
CISA adds 3 deficiencies to the KEV catalog
The US Cyber Security and Infrastructure Security Agency (CISA) reported this. added three vulnerabilities to its known exploits (KEV) catalog based on evidence of active operation –
- CVE-2024-34102 (CVSS Score: 9.8) – Open Source Adobe Commerce and Magento Vulnerability. Invalid XML External Entity Reference (XXE) constraint
- CVE-2024-28995 (CVSS Score: 8.6) – SolarWinds Serv-U Path Traversal Vulnerability
- CVE-2022-22948 (CVSS Score: 6.5) – VMware vCenter Server Incorrect Default File Permissions Vulnerability
CVE-2024-34102, also called Cosmic Stingis a serious security flaw caused by improper handling of nested deserialization, which allows attackers to achieve remote code execution. A proof-of-concept (PoC) exploit for the flaw was released from Assetnote late last month.
Reports on exploitation CVE-2024-28995end-of-directory vulnerability that could allow access to sensitive files on the host machine in detail by GreyNoise, including attempts to read files such as /etc/passwd.
On the other hand, the abuse of CVE-2022-22948 was attributed to Google-owned Mandiant for China’s cyber espionage group known as UNC3886, which has a history of exploiting zero-day flaws in Fortinet, Ivanti and VMware devices.
To protect their networks from active threats, federal agencies must implement mitigations in accordance with vendor guidelines by August 7, 2024.
