Cisco’s Secret Backdoor: The Licensing Utility Flaw That Keeps Hackers Smiling
The U.S. Cybersecurity and Infrastructure Security Agency has added the Cisco Smart Licensing Utility vulnerability to its Known Exploited Vulnerabilities catalog. This flaw, involving a static credential backdoor, is being actively exploited by attackers who love nothing more than a vulnerability with a back story. Patch up before April 21, 2025!
Hot Take:
Once again, Cisco’s Smart Licensing Utility proves to be not so smart after all. It’s like leaving the keys to your house under the doormat, announcing it on social media, and then wondering why you’re suddenly hosting a party for uninvited guests. CISA’s new addition to their vulnerability catalog is a timely reminder that even the biggest tech giants sometimes forget to lock their backdoors. Don’t worry Cisco, we’ve all been there—just maybe not with a CVSS score of 9.8!
Key Points:
- CISA has added two Cisco Smart Licensing Utility vulnerabilities, CVE-2024-20439 and CVE-2024-20440, to its KEV catalog.
- CVE-2024-20439 allows attackers to log in with administrative privileges due to a static credential backdoor.
- CVE-2024-20440 involves a verbose debug log file that leaks sensitive data via specially crafted HTTP requests.
- Both vulnerabilities are actively being exploited, despite the lack of initial exploitation evidence.
- Federal agencies are mandated to address these vulnerabilities by April 21, 2025, as per CISA’s directive.