The SANS Technology Institute’s Internet Storm Center has started seeing attempts to exploit two Cisco Smart Licensing Utility vulnerabilities patched half a year ago.
Cisco revealed in early September 2024 that its Smart Licensing Utility, which enables users to activate and manage Cisco software licenses across their organization, is affected by two critical vulnerabilities. The networking giant at the time announced the availability of patches.
According to Cisco, the flaws, tracked as CVE-2024-20439 and CVE-2024-20440, can allow a remote, unauthenticated attacker to collect sensitive information or manage associated services on a system where the software is running.
Technical details describing CVE-2024-20439 were made public a few weeks later after a researcher reverse engineered Cisco’s patches.
SANS’s Johannes Ullrich on Wednesday reported seeing in-the-wild attempts to exploit these vulnerabilities.
The researcher explained that CVE-2024-20439 is a ‘backdoor’ allowing access to the software through a hardcoded password. CVE-2024-20440 is related to a log file that “logs more than it should” and which can be accessed following the exploitation of the first vulnerability.
In the attacks observed by SANS honeypots, the attacker has attempted to use the default credentials to access Cisco Smart Licensing Utility instances.
It’s unclear what the attackers are after, but Ullrich pointed out that the same threat actor is apparently also trying to hack other types of systems, including what seem to be internet-exposed IoT devices.
There do not appear to be any previous reports of exploitation attempts targeting the Cisco security holes.
Cisco’s advisory for CVE-2024-20439 and CVE-2024-20440 reveals that the flaws were discovered internally, and at the time of writing does not mention in-the-wild exploitation.
SecurityWeek has reached out to Cisco for comment and will update this article if the company responds.
UPDATE: A Cisco spokesperson told SecurityWeek, “On September 4, 2024, Cisco published a security advisory disclosing vulnerabilities in the Cisco Smart Licensing Utility software. These vulnerabilities are not dependent on each other, and are only exploitable on unpatched versions of Cisco Smart Licensing Utility software. To date, Cisco PSIRT has not received direct reports of malicious use of these vulnerabilities, and we encourage our customers to implement available fixed software. Please refer to the security advisory for additional details.”
Related: Cisco Says PoC Exploit Available for Newly Patched IMC Vulnerability
Related: Cisco Patches Vulnerability Exploited in Large-Scale Brute-Force Campaign
Related: CISA Urges Patching of Cisco ASA Flaw Exploited in Ransomware Attacks