Hackers have begun targeting critical vulnerabilities in Cisco’s Smart Licensing Utility (SLU), six months after patches were released. The SANS Internet Storm Center recently reported seeing active attempts to exploit these flaws in the wild.
Cisco had first disclosed these vulnerabilities in September 2024, warning users of potential risks to its Smart Licensing Utility—a tool designed to help businesses manage their Cisco software licenses efficiently. At the time, the company released patches to fix the issues, urging users to update immediately.
Critical Security Flaws Expose Systems to Remote Attacks
The two vulnerabilities, identified as CVE-2024-20439 and CVE-2024-20440, are particularly dangerous. They allow unauthenticated, remote attackers to gain access to sensitive data or manipulate system services where the software is installed.
Weeks after Cisco’s initial disclosure, cybersecurity researchers reverse-engineered the patch and published technical details of CVE-2024-20439. This deeper insight now seems to be driving recent exploitation attempts.
According to SANS’s Johannes Ullrich, hackers are currently leveraging these vulnerabilities, with honeypot systems already recording attack attempts.
Exploiting a Hardcoded Backdoor and Overly Verbose Logs
Further analysis reveals that CVE-2024-20439 functions like a hidden backdoor. It allows attackers to bypass authentication by using hardcoded credentials embedded within the software—essentially granting remote access.
On the other hand, CVE-2024-20440 relates to the application’s logging feature. This log file stores excessive information, which, if accessed, could expose critical system details. However, exploiting this second flaw first requires leveraging the backdoor vulnerability.
Attackers Are Expanding Their Targets Beyond Cisco
SANS’s findings show that attackers are already trying to log in using default credentials to compromise Cisco Smart Licensing Utility instances. Interestingly, the same hacking group appears to be scanning for other vulnerable systems as well, including internet-exposed IoT devices.
At this stage, the exact motives of these attackers remain unclear. Whether they’re attempting to gather sensitive information, gain persistent access, or pivot into other systems is still unknown.
Cisco Acknowledges Flaws but No Widespread Exploitation Confirmed
Cisco’s advisory confirms that the vulnerabilities were discovered internally. So far, the company hasn’t updated the advisory to acknowledge any known exploitation in the wild. However, SANS’s latest observations suggest attackers are now actively testing these weaknesses.
Until recently, there were no public reports of real-world attacks targeting these flaws. The current exploit attempts mark a significant shift and signal growing interest from threat actors.
Stay Protected: Patch Immediately and Monitor Systems
Security experts urge organizations using Cisco Smart Licensing Utility to apply the latest patches if they haven’t already. Additionally, companies should review system logs for suspicious login attempts and monitor network traffic closely.
Vulnerabilities like these underscore the critical importance of timely patching and regular security audits—especially for tools that manage licensing and access controls.
