Active exploitation of Cisco Smart Install underway

SecurityWeek reports that organizations have been warned by the Cybersecurity and Infrastructure Security Agency regarding ongoing attacks targeting misconfigured Cisco network devices with the Smart Install functionality.

More than 6,000 IPs with Cisco SMI were observed by the Shadowserver Foundation to have been exposed to the internet, with CISA noting that exploitation has been made easier by the prevalence of weak passwords in such devices. "Once access is gained a threat actor would be able to access system configuration files easily. Access to these configuration files and system passwords can enable malicious cyber actors to compromise victim network," said the agency. Such an advisory from CISA comes a day after Cisco reported critical and high-severity flaws impacting its Small Business SPA300 and SPA500 series IP phones, which could be leveraged to facilitate arbitrary command execution and a denial-of-service condition, as well as the emergence of a proof-of-concept exploit for the critical Smart Software Manager On-Prem bug, tracked as CVE-2024-20419, which could be used for unauthenticated credential changes.