Home > Cyber News > CVE-2024-20439: Critical Cisco Smart Licensing Flaws Exploited
CYBER NEWS

CVE-2024-20439: Critical Cisco Smart Licensing Flaws Exploited

by   |  Last Update:  |  0 Comments  

Two Critical Vulnerabilities Expose Administrative Access

Two now-patched but previously critical vulnerabilities in Cisco Smart Licensing Utility are being actively exploited in the wild, according to reports from the SANS Internet Storm Center. These flaws affect versions 2.0.0, 2.1.0, and 2.2.0 of the utility, with the most recent version 2.3.0 confirmed to be unaffected.

Critical Cisco Smart Licensing Flaws Under Active Exploitation

The vulnerabilities are the following:

  • CVE-2024-20439 (CVSS 9.8) involves an undocumented static user credential for an admin account, allowing attackers to gain privileged access to a targeted system.
  • CVE-2024-20440 (CVSS 9.8) arises from overly verbose debug log files, which can be accessed via specially crafted HTTP requests to extract sensitive credentials.

If successfully exploited, these Cisco flaws could allow attackers to both log in with administrative rights and extract API-access credentials from log files. However, exploitation is only possible when the Cisco Smart Licensing Utility is actively running.




Active Threats and Additional Exploits

Cybersecurity analysts have been observing an uptake in exploitation attempts targeting these vulnerabilities. Johannes B. Ullrich, Dean of Research at the SANS Technology Institute, confirmed that unidentified threat actors are actively weaponizing these flaws in ongoing campaigns.

Moreover, attackers are taking advantage of other vulnerabilities, including CVE-2024-0305 (CVSS 5.3), an information disclosure flaw in Guangzhou Yingke Electronic Technology’s Ncast system. While the motives and identities behind the campaigns remain unclear, the activity underscores the urgency of patching exposed systems.

Given the critical nature of these flaws and the real-world exploitation attempts, all users of Cisco Smart Licensing Utility should upgrade to version 2.3.0 or later.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Related posts:
  1. CVE-2019-12648: Cisco IOS Vulnerability Has a CVSS Score of 9.9 A number of high-severity vulnerabilities were unearthed in Cisco IOS...
  2. Cisco Bugs CVE-2018-0151, CVE-2018-171, CVE-2018-015. Patch Now! Three critical vulnerabilities have found in Cisco products. More specifically,...
  3. CVE-2020-3382: Cisco Fixes Critical Flaws in DCNM and SD-WAN Another set of critical vulnerabilities in Cisco products was just...
  4. November 2024 Patch Tuesday Fixes Actively Exploited Flaws (CVE-2024-49039) In its November 2024 Patch Tuesday update, Microsoft addressed 90...
  5. Adobe Patches 112 Vulnerabilities in Latest Patch Package (CVE-2018-5007) Adobe has released the latest patch package that addresses a...
  6. Cisco Fixes Multiple Critical Flaws in SD-WAN vManage Software (CVE-2021-1468) Another set of patches addressing critical security vulnerabilities was just...
  7. CVE-2024-20272: Critical Flaw in Cisco Unity Connection Cisco has recently addressed a critical security flaw in its...
  8. 3,500 Cisco Network Switches in Iran Hacked by JHT Hacking Group Due to the number of highly critical vulnerabilities in some...

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree