U.S. CISA Adds Cisco Smart Licensing Utility Flaw to Its Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw in Cisco's Smart Licensing Utility to its list of known exploited vulnerabilities, highlighting the growing threat landscape for organizations relying on this software.

Cisco disclosed two significant vulnerabilities in its Smart Licensing Utility last week: CVE-2024-20439, a static credential backdoor, and CVE-2024-20440, an information disclosure flaw. Attackers can exploit the backdoor to access sensitive log files, posing a substantial risk to organizations that use this software.

While no active exploitation was initially observed, the publication of exploit details has led to recent attack activity. CISA's Known Exploited Vulnerabilities (KEV) catalog serves as a warning system for federal agencies and private organizations alike, providing timely information on exploited vulnerabilities that can be addressed to mitigate potential threats.

According to the advisory published by SANS Internet Storm Center, multiple vulnerabilities in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to collect sensitive information or administer Cisco Smart Licensing Utility services on a system while the software is running. Researchers at SANS warned that these two issues are actively exploited in attacks and are somewhat connected.

"The first one is one of the many backdoors Cisco likes to equip its products with," reads the advisory. "A simple fixed password that can be used to obtain access. The second one is a log file that logs more than it should. Using the first vulnerability, an attacker may access the log file."

"We've seen some exploit activity since the details were published," SANS researchers warned. "The group attempting to exploit these two vulnerabilities is also targeting configuration files and possibly CVE-2024-0305 (CVSS score: 5.3), likely exploiting a DVR vulnerability."

While CISA has ordered federal agencies to fix this vulnerability by April 21, 2025, private organizations are also urged to review the KEV catalog and address the vulnerabilities in their infrastructure.

What You Need to Know:

  • Cisco Smart Licensing Utility flaw adds to the growing list of exploited vulnerabilities.
  • Attackers can exploit the backdoor to access sensitive log files, posing a significant risk to organizations that use this software.
  • No workarounds are available to address these flaws, and private organizations must take proactive steps to secure their networks.
  • CISA orders federal agencies to fix this vulnerability by April 21, 2025, as part of its Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities.

Stay Ahead of Threats:

To stay informed about emerging vulnerabilities and cyber threats, follow us on Twitter (@securityaffairs) and Facebook. You can also join our community on Mastodon (SecurityAffairs – hacking, Cisco Smart Licensing Utility vulnerability). By staying vigilant and proactive, you can protect your networks against the latest exploits and keep your organization's security up to date.