A critical vulnerability in Cisco Smart Software Manager On-Prem allows hackers to change passwords themselves and without any authentication, including that of administrators.

Cisco recommends that users of Cisco Smart Software Manager On-Prem install an update as soon as possible. After all, a critical vulnerability with a CVSS score of ten is being patched. CVE-2024-20419 allows attackers to arbitrarily change passwords of accounts on Cisco Smart Software Manager On-Prem.

Hackers can send a special HTTP request to a vulnerable device to change the password of any account and then log in using the modified credentials. The cause of the flaw lies in a poor implementation of the process for legitimately changing a password.

Unclear effects

It is unclear how much damage could be caused after a successful login attempt. Cisco Smart Software Manager On-Prem allows users to manage the licenses of all their Cisco products locally instead of in the cloud. Cisco provides a special device for this purpose. However, the hardware itself does not play a decisive security role.

The only solution to the problem is to install an update. There is no workaround. According to Cisco, there is currently no evidence that the bug is being effectively exploited.

Cisco points out that Cisco SSM On-Prem and Cisco SSM Satellite are the same product. Before release 7.0, the product was called Cisco SSM Satellite. Only from release 7.0 onwards is the solution called Cisco SSM On-Prem.