Skip to main content
close search
site logo
Dive Brief

Cisco confirms cyberattacks on Smart Licensing Utility flaw

CISA earlier this week added CVE-2024-20439, a static credential vulnerability in the license management app, to its known exploited vulnerabilities catalog.

Published April 3, 2025
By
Contributing Reporter
A sign reads Cisco in bright red letters outside a corporate office.
A sign is posted in front of the Cisco Systems headquarters on Aug. 17, 2016, in San Jose, California. A static-credential vuln in Cisco's Smart Licensing Utility could allow unauthenticated attackers to remotely access vulnerable Cisco devices. Justin Sullivan via Getty Images

Dive Brief:

  • CISA earlier this week added CVE-2024-20439, a critical flaw in the Cisco Smart Licensing Utility, to its known exploited vulnerabilities (KEV) catalog. The addition confirms reported exploitation attempts on the vulnerability last month from the SANS Internet Storm Center.

  • CVE-2024-20439, a static credential vulnerability in the Smart Licensing Utility, was initially disclosed and patched in September along with another vulnerability, CVE-2024-20440. The latter leads to information disclosure in the tool.

  • In an updated security advisory for the two vulnerabilities, Cisco on Wednesday confirmed the exploitation attempts. "In March 2025, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild."

Dive Insight:

CISA's KEV entry for CVE-2024-20439 said it's "unknown" whether the flaw has been weaponized in ransomware attacks. On March 19, Johannes Ullrich of the SANS Internet Storm Center observed exploitation attempts against the flaws.

At the time, Ulrich told Cybersecurity Dive that the attempts appeared to originate from a "smaller botnet" that was engaged in other malicious activity. Exploitation activity surged in mid-March, he said. "Before that, there was only minor activity for the vulnerability, which [included] a spike for one day early January," Ulrich said in an email last month.

Ulrich told Cybersecurity Dive this week that exploitation activity has been limited to attacks from the botnet over the last two weeks. "We have not seen any new activity for these scans," he said via email. "I believe our initial report contributed to CISA adding this vulnerability to the KEV list."

CVE-2024-20439 allows unauthenticated attackers to remotely access vulnerable Cisco devices using a undocumented static administrative credential, though the networking giant noted the flaw cannot be exploited unless the Cisco Smart Licensing Utility is actively running.

In his SANS Storm Center post, Ullrich referred to the vulnerability as a "backdoor" that Cisco often equips for its products and warned that such static admin credentials provide easy access to systems if they fall into the wrong hands. Ulrich also noted that security researcher Nicholas Starke had previously published a blog post in September with technical details about CVE-2024-20439, including the static credential. Therefore, any unauthorized user could have discovered the static credential in the blog post and used it to access Cisco products running the Smart Licensing Utility.

 

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Continues Revolutionizing Cyber-Resilient Machinery Control Systems
From Fathom5
March 19, 2025
98% of Brands Targeted by Cyber Attacks in 2024 – BrandShield CyberScam Report Reveals Rising …
From BrandShield
April 02, 2025
Operant Networks Launches Embedded Zero Trust Security Software for PLCs
From Operant Networks
March 19, 2025
Lafayette Federal Credit Union Data Breach Investigation
From Migliaccio & Rathod LLP
March 24, 2025
Editors' picks
Latest in Cyberattacks
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.