Home > Cyber News > CVE-2024-20439: Critical Cisco Smart Licensing Flaws Exploited
CYBER NEWS

CVE-2024-20439: Critical Cisco Smart Licensing Flaws Exploited

Two Critical Vulnerabilities Expose Administrative Access

Two now-patched but previously critical vulnerabilities in Cisco Smart Licensing Utility are being actively exploited in the wild, according to reports from the SANS Internet Storm Center. These flaws affect versions 2.0.0, 2.1.0, and 2.2.0 of the utility, with the most recent version 2.3.0 confirmed to be unaffected.

Critical Cisco Smart Licensing Flaws Under Active Exploitation

The vulnerabilities are the following:

  • CVE-2024-20439 (CVSS 9.8) involves an undocumented static user credential for an admin account, allowing attackers to gain privileged access to a targeted system.
  • CVE-2024-20440 (CVSS 9.8) arises from overly verbose debug log files, which can be accessed via specially crafted HTTP requests to extract sensitive credentials.

If successfully exploited, these Cisco flaws could allow attackers to both log in with administrative rights and extract API-access credentials from log files. However, exploitation is only possible when the Cisco Smart Licensing Utility is actively running.




Active Threats and Additional Exploits

Cybersecurity analysts have been observing an uptake in exploitation attempts targeting these vulnerabilities. Johannes B. Ullrich, Dean of Research at the SANS Technology Institute, confirmed that unidentified threat actors are actively weaponizing these flaws in ongoing campaigns.

Moreover, attackers are taking advantage of other vulnerabilities, including CVE-2024-0305 (CVSS 5.3), an information disclosure flaw in Guangzhou Yingke Electronic Technology’s Ncast system. While the motives and identities behind the campaigns remain unclear, the activity underscores the urgency of patching exposed systems.

Given the critical nature of these flaws and the real-world exploitation attempts, all users of Cisco Smart Licensing Utility should upgrade to version 2.3.0 or later.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree