Cisco has released patches to address a maximum-severity security flaw impacting Smart Software Manager On-Prem (Cisco SSM On-Prem) that could enable a remote, unauthenticated attacker to change the password of any users, including those belonging to administrative users. The vulnerability, tracked as CVE-2024-20419, carries a CVSS score of 10.0. "This vulnerability is due to improper implementation of the password-change process," the company said in an advisory. "An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user." The shortcoming affects Cisco SSM On-Prem versions 8-202206 and earlier. It has been fixed in version 8-202212. It's worth noting that version 9 is not susceptible to the flaw. Cisco said there are no workarounds that resolve the issue, and that it's not aware of any malicious exploitation in the wild. Security researcher Mohammed Adel has been credited with discovering and reporting the bug. CISA Adds 3 Flaws to KEV Catalog The disclosure comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation – CVE-2024-34102 (CVSS score: 9.8) – Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability CVE-2024-28995…Read More