Cisco patches critical flaws in Smart Licensing Utility and Identity Services Engine

News
By published

Three bugs allowed crooks to take over devices, steal files, and more.

cisco logo
(Image credit: Shutterstock / Ken Wolter)

Earlier this week, Cisco introduced new patches that fix bugs in different products, which allowed threat actors to log in to, or take over, vulnerable devices.

First, it addressed an OS command injection vulnerability, caused by insufficient validation of user-supplied input, found in Cisco’s Identity Service Engine (ISE). This one is tracked as CVE-2024-20469, and carries a severity score of 6.0. Cisco's ISE is a network access control and policy management platform that enables organizations to enforce security policies across their network.

In theory, a local attacker could submit a malicious CLI command and escalate privileges on vulnerable systems to root, but they need to have admin rights on the unpatched system to begin with.

Bugs in SLU

"A vulnerability in specific CLI commands in Cisco Identity Services Engine (ISE) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root," Cisco said in an advisory, adding that it is aware of proof-of-concept code circulating online. So far, there is no evidence of successful abuse, though.

Versions 3.2 and 3.3 are affected, and to secure their premises, admins should upgrade to 3.2P7 and 3.3P4, respectively.

The second flaw that was recently addressed is a backdoor account that was found in Cisco’s Smart Licensing Utility Windows (SLU) software. SLU is a tool that helps manage and activate software licenses for Cisco products using the Smart Licensing system. The bug, described as an “undocumented static user credential for an administrative account,” is tracked as CVE-2024-20439, and carries a severity score of 9.8.

The third flaw, tracked as CVE-2024-20440, is due to excessive verbosity in a debug log file. As a result, crooks could access sensitive information, remotely. This one, too, has a 9.8 severity score.

SLU versions 2.0.0, 2.1.0, and 2.2.0, were said to be vulnerable. The first fixed version is 2.3.0.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Cisco patches critical security issues, so update now
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
Representational image depecting cybersecurity protection
Ivanti reveals major security update, so make sure you're protected
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
CISA tells agencies to patch BeyondTrust bug now
An image of network security icons for a network encircling a digital blue earth.
Industrial networks exposed to attack by faulty Moxa devices
Latest in Pro
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple H3C Magic routers hit by critical severity remote command injection, with no fix in sight
ai quantization
Shadow AI: the hidden risk of operational chaos
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Digital clouds against a blue background.
Navigating the growing complexities of the cloud
Zendesk Relate 2025
Zendesk Relate 2025 - everything you need to know as the event unfolds
Latest in News
Samsung Galaxy S25 from the front
The Now Bar on Samsung One UI 7 is about to get a lot more useful – and could soon match Live Activities on iOS
Marvel Rivals
Marvel Rivals will get two new hero skins for Moon Knight and Black Panther this week meaning I'll now need to farm even more Units
Netflix Ads
Netflix adds HDR10+ support – great news for Samsung TV owners, but don't expect LG and Sony to do the same any time soon
Klipsch Klipschorn AK7 in a room with lots of dark wood furniture and a bare brick wall
Klipsch just updated two of its most iconic stereo speaker designs, keeping these beautiful retro icons on your most-wanted list
FiiO FX17 IEMs
Our favorite budget audiophile brand unveils wired earbuds with 26(!) drivers, electrostatic units, USB-C ultra-Hi-Res Audio, and a not-so-budget price
Nvidia RTX 5080 against a yellow TechRadar background
RTX 5080 24GB version teased by MSI - is it time to admit that 16GB isn't enough for 4K?
More about pro
1Password

Keep your company's passwords protected with 1Password Business Plan
Logitech Rally Bar Huddle main image

I tested the Logitech Rally Bar Huddle - see what I thought of this smart all-in-one conferencing solution
The Surface Laptop 7 on a cyan background with a TechRadar deals badge.

This Windows laptop is 31% off in Amazon's Spring Sale and we scored it 5 stars – so why is Amazon putting a warning label on it?
See more latest
Most Popular
Marvel Rivals
Marvel Rivals will get two new hero skins for Moon Knight and Black Panther this week meaning I'll now need to farm even more Units
Klipsch Klipschorn AK7 in a room with lots of dark wood furniture and a bare brick wall
Klipsch just updated two of its most iconic stereo speaker designs, keeping these beautiful retro icons on your most-wanted list
Samsung Galaxy S25 from the front
The Now Bar on Samsung One UI 7 is about to get a lot more useful – and could soon match Live Activities on iOS
A close up of the PlayStation symbol at the top of a PS5 Slim console with a white brick background
Sony has dropped a new PS5 update, improving activities and adding more emoji support
Netflix Ads
Netflix adds HDR10+ support – great news for Samsung TV owners, but don't expect LG and Sony to do the same any time soon
Nvidia RTX 5080 against a yellow TechRadar background
RTX 5080 24GB version teased by MSI - is it time to admit that 16GB isn't enough for 4K?
Google Pixel 9a being held, from the back
The Google Pixel 9a’s mysterious delay may have just been explained
Nintendo Sound Clock: Alarmo
Nintendo Sound Clock: Alarmo gets new update with more customizable features ahead of the Switch 2 Direct
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
FiiO FX17 IEMs
Our favorite budget audiophile brand unveils wired earbuds with 26(!) drivers, electrostatic units, USB-C ultra-Hi-Res Audio, and a not-so-budget price