July 17, 2024 By Sergiu Gatlan
Cisco has fixed a maximum severity vulnerability that allows attackers to change any user's password on vulnerable Cisco Smart Software Manager On-Prem (Cisco SSM On-Prem) license servers, including administrators.
The flaw also impacts SSM On-Prem installations earlier than Release 7.0, known as Cisco Smart Software Manager Satellite (SSM Satellite).
As a Cisco Smart Licensing component, SSM On-Prem assists service providers and Cisco partners in managing customer accounts and product licenses.
Tracked as CVE-2024-20419, this critical security flaw is caused by an unverified password change weakness in SSM On-Prem's authentication system. Successful exploitation enables unauthenticated, remote attackers to set new user passwords without knowing the original credentials.
"This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device," Cisco explained.