// For flags

CVE-2020-3158

Cisco Smart Software Manager On-Prem Static Default Credential Vulnerability

Severity Score

9.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

A vulnerability in the High Availability (HA) service of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to access a sensitive part of the system with a high-privileged account. The vulnerability is due to a system account that has a default and static password and is not under the control of the system administrator. An attacker could exploit this vulnerability by using this default account to connect to the affected system. A successful exploit could allow the attacker to obtain read and write access to system data, including the configuration of an affected device. The attacker would gain access to a sensitive portion of the system, but the attacker would not have full administrative rights to control the device.

Una vulnerabilidad en el servicio High Availability (HA) de Cisco Smart Software Manager On-Prem, podría permitir a un atacante remoto no autenticado acceder a una parte confidencial del sistema con una cuenta con privilegios elevados. La vulnerabilidad es debido a una cuenta system que posee una contraseña predeterminada y estática y no está bajo el control del administrador del sistema. Un atacante podría explotar esta vulnerabilidad mediante el uso de esta cuenta predeterminada para conectarse al sistema afectado. Una explotación con éxito podría permitir al atacante obtener acceso de lectura y escritura a los datos del sistema, incluyendo la configuración de un dispositivo afectado. El atacante obtendría acceso a una parte confidencial del sistema, pero no tendría todos los derechos administrativos para controlar el dispositivo.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2019-12-12 CVE Reserved
  • 2020-02-19 CVE Published
  • 2024-03-30 EPSS Updated
  • 2024-11-15 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-798: Use of Hard-coded Credentials
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
 Smart Software Manager On-prem
Search vendor "Cisco" for product "Smart Software Manager On-prem"
 < 7-202001
Search vendor "Cisco" for product "Smart Software Manager On-prem" and version " < 7-202001"
-
Affected