Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Primary rating from Vendor (cisco) · only source for this CVE.
CVSS VectorVendor: cisco
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability in the web interface of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to elevate privileges on an affected system.
This vulnerability is due to the improper transmission of sensitive user information. An attacker could exploit this vulnerability by sending a crafted message to an affected Cisco SSM On-Prem host and retrieving session credentials from subsequent status messages. A successful exploit could allow the attacker to elevate privileges on the affected system from low to administrative. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of System User. Note: This vulnerability exposes information only about users who logged in to the Cisco SSM On-Prem host using the web interface and who are currently logged in. SSH sessions are not affected.
AnalysisAI
Privilege escalation in Cisco Smart Software Manager On-Prem (SSM On-Prem) web interface allows authenticated remote attackers with System User role to gain administrative access by intercepting session credentials from status messages. CVSS 7.3 (High severity) with network attack vector, low complexity, and requires low privileges plus user interaction. No public exploit code or active exploitation confirmed at time of analysis (EPSS data not provided).
Technical ContextAI
This vulnerability affects Cisco Smart Software Manager On-Prem (cpe:2.3:a:cisco:cisco_smart_software_manager_on-prem), a self-hosted license management platform. The flaw is classified as CWE-201 (Insertion of Sensitive Information Into Sent Data), indicating the web interface improperly includes sensitive session credentials in status messages that lower-privileged users can access. The vulnerability specifically affects the web UI authentication mechanism and session management layer, allowing credential leakage through API or message responses. SSH sessions use a separate authentication path and remain unaffected. The attacker must already possess valid System User credentials, representing a horizontal-to-vertical privilege escalation rather than initial access vulnerability.
RemediationAI
Consult Cisco's official security advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-priv-esc-xRAnOuO8 for vendor-recommended patches and specific fixed versions for your SSM On-Prem deployment. Patch availability per vendor advisory should include version upgrades that prevent session credential leakage in status messages. As immediate risk mitigation while patching, organizations can restrict SSM On-Prem web interface access to trusted networks only via firewall rules, enforce SSH-only administration where feasible, implement enhanced monitoring for privilege escalation attempts, review and minimize accounts with System User role, and audit active web sessions for unauthorized administrative access. After patching, force re-authentication of all web interface sessions and rotate credentials for administrative accounts that were logged in during the vulnerability window.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17954
GHSA-753x-3fmj-hv4q