CISA Adds Cisco Smart Licensing Vulnerability to Exploited Vulnerabilities Catalog

TL;DR

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a significant Cisco Smart Licensing Utility vulnerability to its Known Exploited Vulnerabilities catalog. This flaw, along with another related issue, poses severe security risks and is being actively exploited in the wild. Organizations are urged to apply the necessary software updates to mitigate these vulnerabilities.

Main Content

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Cisco Smart Licensing Utility, tracked as CVE-2024-20439, to its Known Exploited Vulnerabilities (KEV) catalog. This addition highlights the urgent need for organizations to address this security risk.

Vulnerability Details

Last week, Cisco disclosed two significant vulnerabilities in its Smart Licensing Utility:

1. CVE-2024-20439 (CVSS score: 9.8): This flaw involves an undocumented static admin credential, allowing unauthorized access with administrative privileges via the Cisco Smart Licensing Utility API.
2. CVE-2024-20440 (CVSS score: 9.8): This vulnerability is due to excessive verbosity in a debug log file, enabling attackers to obtain sensitive data, including credentials, by sending specially crafted HTTP requests.

Security Implications

These vulnerabilities can allow unauthenticated, remote attackers to collect sensitive information or administer Cisco Smart Licensing Utility services, posing a significant security risk¹. Although no active exploitation was initially observed, the publication of exploit details has led to recent attack activity.

Mitigation Steps

Cisco has released software updates to address these flaws, and there are no workarounds available. Organizations are strongly advised to apply these updates immediately to protect their systems.

Expert Warnings

Researchers at the SANS Internet Storm Center have warned that both vulnerabilities are being actively exploited. They noted that the static credential backdoor and the verbose log file issue are connected, allowing attackers to gain unauthorized access and collect sensitive data².

Additionally, the group exploiting these vulnerabilities is also targeting configuration files and potentially CVE-2024-0305 (CVSS score: 5.3), which is a DVR vulnerability.

Regulatory Compliance

According to the Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must address the identified vulnerabilities by the specified due date to protect their networks against potential attacks. CISA has set April 21, 2025, as the deadline for federal agencies to fix this vulnerability.

Private organizations are also recommended to review the Catalog and address the vulnerabilities in their infrastructure.

Conclusion

The addition of the Cisco Smart Licensing Utility vulnerability to CISA’s KEV catalog underscores the critical importance of timely security updates. Organizations must act swiftly to mitigate these risks and protect their systems from potential attacks.

For more details, visit the full article: source

Additional Resources

For further insights, check:

• Cisco Security Advisory
• SANS Internet Storm Center Advisory

1. “Cisco Smart Licensing Utility Vulnerabilities Advisory” (2025). Cisco Security Advisory. Cisco. Retrieved 2025-03-31. ↩︎

2. “SANS Internet Storm Center Advisory on Cisco Vulnerabilities” (2025). SANS Internet Storm Center. SANS. Retrieved 2025-03-31. ↩︎