CVE-2024-20419 CRITICAL

CVE-2024-20419

Vendor Cisco
Product Cisco Smart Software Manager On-Prem
Weakness CWE-620 · Unverified password change
Published July 17, 2024
Last update February 13, 2025

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.

Key dates

02Disclosure timeline

July 17, 2024 CVE published
February 13, 2025 Record updated