Use of hard-coded credentials in Cisco Smart Software Manager On-Prem - CVE-2020-3158
Published: February 20, 2020
Vulnerability identifier: #VU25474
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2020-3158
CWE-ID: CWE-798
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco Smart Software Manager On-Prem
Cisco Smart Software Manager On-Prem
Detailed vulnerability description
The vulnerability allows a remote attacker to gain full access to vulnerable system.
The vulnerability exists in the High Availability (HA) service due to a system account that has a default and static password and is not under the control of the system administrator. A remote unauthenticated attacker can use this default account to connect to the affected system using the hard-coded credentials and obtain read and write access to system data, including the configuration of an affected device.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
How to mitigate CVE-2020-3158
Install updates from vendor's website.