Unauthenticated Remote Attackers Can Log in to Cisco Systems with Administrative Privileges
CVE-2024-20439

9.8CRITICAL

Key Information:

Vendor
Cisco
Status
Cisco Smart License Utility
Vendor
CVE Published:
4 September 2024

Badges

👾 Exploit Exists🟣 EPSS 16%

Summary

A significant vulnerability exists in the Cisco Smart Licensing Utility due to the presence of an undocumented static user credential for an administrative account. This flaw allows an attacker to remotely log into an affected system without authentication, by utilizing these static credentials. Once inside, the attacker gains administrative privileges through the API of the application, potentially compromising the system's integrity and security. Organizations utilizing this software are urged to assess their security measures and implement necessary patches as detailed in the security advisory.

Affected Version(s)

Cisco Smart License Utility 2.1.0

Cisco Smart License Utility 2.0.0

Cisco Smart License Utility 2.2.0

References

https://sec.cloudapps.cisco.com/security/center/content/C...

EPSS Score

16% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • Vulnerability published

.