Security News > 2024 > July > Maximum-severity Cisco vulnerability allows attackers to change admin passwords
Cisco just dropped a patch for a maximum-severity vulnerability that allows attackers to change the password of any user, including admins.
Tracked as CVE-2024-20419, the bug carries a maximum 10/10 CVSS 3.1 rating and affects the authentication system of Cisco Smart Software Manager On-Prem.
Cisco hasn't disclosed too many details about this, which is more than understandable given the nature of the vulnerability.
Cisco hasn't mentioned anything about how many of its customers are potentially affected by this flaw, although a recently updated whitepaper [PDF] about SSM On-Prem authored by Cisco says the product "Is most often the go-to solution used by financial institutions, utilities, service providers, and government organizations."
The vulnerability is the standout bug among a slew of issues fixed by Cisco on Wednesday.
It was one of two critical flaws addressed with security updates alongside CVE-2024-20401, an issue with Cisco Secure Email Gateway that allows an unauthenticated attacker to overwrite arbitrary files on the underlying operating system.