Attackers are leveraging Cisco Smart Licensing Utility static admin credentials (CVE-2024-20439)
CVE-2024-20439, a static credential vulnerability in the Cisco Smart Licensing Utility, is being exploited by attackers in the wild, CISA has confirmed on Monday by adding the flaw to its Known Exploited Vulnerabilities catalog.
Cisco has followed up with a confirmation by updating the security advisory covering CVE-2024-20439 and CVE-2024-20440, an information disclosure flaw in the same software.
“In March 2025, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild,” the company said.
All this came two weeks after Johannes Ullrich, Dean of Research at the SANS Technology Institute, flagged exploit attempts of CVE-2024-20439 (and possibly CVE-2024-20440).
About CVE-2024-20439 and CVE-2024-20440
Cisco Smart License Utility Manager (CSLU) is a Windows and Linux application that’s used by Cisco customers to administer licenses and associated Product Instances from their premises.
CVE-2024-20439 and CVE-2024-20440 have been publicly disclosed by Cisco in early September 2024, when they released version 2.3.0 of the software that included fixes for both. The company urged customers to upgrade to it as a workaround wasn’t available.
CVE-2024-20439 allows unauthenticated, remote attackers to log in to an affected system by using a static administrative credential. “A successful exploit could allow the attacker to log in to the affected system with administrative privileges over the API of the Cisco Smart Licensing Utility application,” the company explained.
CVE-2024-20440 allows unauthenticated, remote attackers to obtain log files (and sensitive data in them, e.g. API credentials) by sending a crafted HTTP request to an affected device.
The good news is that the flaws could only be exploited if the utility was actively running. The bad news is that the vulnerabilities could be exploited independently from one another.
But while security researcher Nicholas Starke released a write-up on CVE-2024-20439 and the static admin credential in question in late September 2024, it took until March 2025 for security researchers to spot exploitation attempts.
What to do?
Whether these attemps have been successful is unknown, though CVE-2024-20439’s inclusion in CISA’s KEV catalog would suggest at least some have.
CISA has given US federal agencies until April 21 to “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
Other Cisco customers that use the utility are advised to upgrade it to the fixed version.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
Case Study: Are CSRF Tokens Sufficient in Preventing CSRF Attacks?
Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner
