128/68 Wednesday, April 2, 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two high-severity vulnerabilities in Cisco Smart Licensing Utility to its Known Exploited Vulnerabilities (KEV) Catalog:
- CVE-2024-20439 (CVSS 9.8): A static credential backdoor, caused by hardcoded admin credentials embedded in the system. This flaw allows attackers to gain unauthorized administrative access to Cisco APIs.
- CVE-2024-20440 (CVSS 9.8): An information disclosure vulnerability, where excessive verbosity in system logs may expose sensitive information, such as API credentials, through specially crafted HTTP requests.
Although there was no evidence of active exploitation initially, once vulnerability details were published by researcher Nicholas Starke, associated attack activity began to surface. The SANS Internet Storm Center has warned of attempts to exploit these flaws, including efforts to access configuration files, potentially in conjunction with other vulnerabilities such as CVE-2024-0305. Cisco has already released software updates to address both issues, though no temporary workarounds are currently available. Security experts urge organizations to check their systems against the KEV Catalog and apply the necessary patches as soon as possible.
Under the Binding Operational Directive (BOD) 22-01, all agencies within the Federal Civilian Executive Branch (FCEB) are required to remediate these vulnerabilities by April 21, 2025, to reduce the risk posed by actively exploited flaws. CISA also strongly encourages private sector organizations to review the KEV Catalog and implement appropriate mitigation measures to protect against these critical threats.
