Security News > 2024 > July > Cisco Warns of Critical Flaw Affecting On-Prem Smart Software Manager
Cisco has released patches to address a maximum-severity security flaw impacting Smart Software Manager On-Prem that could enable a remote, unauthenticated attacker to change the password of any users, including those belonging to administrative users.
"An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user."
It's worth noting that version 9 is not susceptible to the flaw.
The disclosure comes as the U.S. Cybersecurity and Infrastructure Security Agency added three vulnerabilities to its Known Exploited Vulnerabilities catalog, based on evidence of active exploitation -.
CVE-2024-34102, which is also referred to as CosmicSting, is a severe security flaw arising from improper handling of nested deserialization, allowing attackers to achieve remote code execution.
A proof-of-concept exploit for the flaw was released by Assetnote late last month.
News URL
https://thehackernews.com/2024/07/cisco-warns-of-critical-flaw-affecting.html
Related news
- CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Security Patches (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418) (source)
- Cisco scores a perfect CVSS 10 with critical flaw in its wireless system (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-06-13 | CVE-2024-34102 | XXE vulnerability in Adobe Commerce and Magento Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. | 9.8 |