According to the SANS Internet Storm Center, two previously identified security vulnerabilities in the Cisco Smart Licensing Utility are currently being targeted by active exploitation attempts.
The two critical vulnerabilities in question, which have now been patched, are as follows:
- CVE-2024-20439 (CVSS score: 9.8) – This vulnerability involves an undocumented static user credential for an administrative account that can be exploited by an attacker to gain access to an affected system.
- CVE-2024-20440 (CVSS score: 9.8) – This vulnerability arises due to an excessively verbose debug log file, which an attacker can exploit to obtain sensitive data, including credentials that can be used to access the API, by means of a crafted HTTP request.
Successful exploitation of these vulnerabilities could potentially allow an attacker to log in to the affected system with administrative privileges and gain access to log files containing sensitive data.
Note that these vulnerabilities can only be exploited when the utility is actively running.
The identified shortcomings, which affect versions 2.0.0, 2.1.0, and 2.2.0 of the Cisco Smart License Utility, have been patched by Cisco since September 2024. Version 2.3.0 is not vulnerable to these two bugs.
As of March 2025, unidentified threat actors have been observed attempting to actively exploit these vulnerabilities, along with other flaws, including an information disclosure vulnerability (CVE-2024-0305, CVSS score: 5.3) in Guangzhou Yingke Electronic Technology Ncast, according to Johannes B. Ullrich, Dean of Research at the SANS Technology Institute.
The ultimate goal of this campaign and the identity of those behind it are currently unknown. However, it is essential that users apply the necessary patches to ensure optimal protection against these vulnerabilities.
