Cisco has just released a patch for a maximum severity vulnerability that would allow attackers to change the password of any user, including administrators.
Change or reset CUCM/IM & P OS administrator and security passwords
Tracked as CVE-2024-20419, the bug has a maximum 10/10 CVSS 3.1 rating and affects the Cisco Smart Software Manager (SSM) On-Prem authentication system.
Cisco hasn't disclosed too many details about this, which is more than understandable given the nature of the vulnerability. But we know that an unauthenticated remote attacker can exploit this to change passwords. It is hardly ideal, and should be patched as soon as possible.
Digging into the severity assessment, the attack complexity was deemed "low": no privileges or user interaction would be required to pull it off, and the impact on product integrity, availability, and confidentiality is rated "high."