Cisco has disclosed critical vulnerabilities in its Smart Licensing Utility software, identified as CVE-2024-20439 and CVE-2024-20440, which could allow unauthenticated, remote attackers to gain administrative access or collect sensitive information from compromised systems.
These flaws, rated with a severity score of 9.8 in the Common Vulnerability Scoring System (CVSS), pose significant security risks to organizations using the affected software.
CVE-2024-20439: Static Credential Vulnerability
A flaw in Cisco Smart Licensing Utility allows unauthorized attackers to log into systems remotely using hardcoded static administrative credentials.
.png
)
The issue arises due to the presence of an undocumented administrative account. Successful exploitation grants attackers access to administrative privileges over the application’s API, leaving systems vulnerable to further compromise.
- Bug ID: CSCwi41731
- CWE: CWE-532
- Impact: Unauthorized administrative access to affected systems.
- CVSS Base Score: 9.8
CVE-2024-20440: Information Disclosure Vulnerability
A separate vulnerability stems from excessive verbosity in debug log files.
Attackers could exploit this issue by sending crafted HTTP requests to affected systems, allowing them to access sensitive log files containing credentials and other critical information.
The disclosed data could enable attackers to further compromise the system.
- Bug ID: CSCwi47950
- CWE: CWE-912
- Impact: Exposure of sensitive information such as administrative credentials.
- CVSS Base Score: 9.8
Affected Products
The vulnerabilities impact the Cisco Smart Licensing Utility software when actively running. Cisco has confirmed the following products are not vulnerable:
- Smart Software Manager On-Prem
- Smart Software Manager Satellite
| Cisco Smart License Utility Release | Status | First Fixed Release |
| 2.0.0 | Vulnerable | Migrate to a fixed release |
| 2.1.0 | Vulnerable | Migrate to a fixed release |
| 2.2.0 | Vulnerable | Migrate to a fixed release |
| 2.3.0 | Not Vulnerable | Already fixed |
Mitigation Steps
Cisco has released free updates to address these vulnerabilities. Users are urged to migrate to a non-vulnerable software version promptly.
Cisco has provided detailed guidance for obtaining software upgrades via the Cisco Support and Downloads page and other authorized channels.
No workarounds are available for these vulnerabilities. Users must upgrade to secure their systems.
Cisco confirmed reports of attempted exploitation of these vulnerabilities as of March 2025. Organizations are strongly advised to take timely action and implement mitigating software updates to prevent compromise.
Organizations using vulnerable versions of Cisco Smart Licensing Utility must act immediately to prevent unauthorized access and information leaks.
Cisco continues to monitor these vulnerabilities and urges users to stay updated with the latest patches and advisories.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
