Summary: Two critical vulnerabilities in Cisco Smart Licensing Utility, exploited in active attacks, have been patched. The flaws allow unauthorized access to administrative accounts and sensitive data through log files. Users are urged to update to version 2.3.0 to mitigate risks associated with these vulnerabilities.
Affected: Cisco Smart Licensing Utility
Keypoints :
- CVE-2024-20439: Undocumented static user credential allows unauthorized login to the system.
- CVE-2024-20440: Excessively verbose debug logs can be accessed by attackers through crafted HTTP requests to obtain sensitive credentials.
- Affected versions: 2.0.0, 2.1.0, and 2.2.0; users should update to version 2.3.0.
- Active exploitation attempts have been observed as of March 2025.
- Unidentified threat actors may be weaponizing related vulnerabilities for broader campaigns.
Source: https://thehackernews.com/2025/03/ongoing-cyber-attacks-exploit-critical.html