CVE-2024-20439
published 2024-09-04CVE-2024-20439: A vulnerability in Cisco Smart Licensing Utility (CSLU) could allow an unauthenticated, remote attacker to log into an affected system by using a static…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-04-21
Exploited in the wild
EPSS
92.01%
99.8th percentile
A vulnerability in Cisco Smart Licensing Utility (CSLU) could allow an unauthenticated, remote attacker to log into an affected system by using a static administrative credential.
This vulnerability is due to an undocumented static user credential for an administrative account. An attacker could exploit this vulnerability by using the static credentials to login to the affected system. A successful exploit could allow the attacker to login to the affected system with administrative rights over the CSLU application API.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_smart_license_utility | — | — |
| cisco | cisco_smart_license_utility | — | — |
| cisco | cisco_smart_license_utility | — | — |
| cisco | smart_license_utility | >= 2.0.0 < 2.3.0 | 2.3.0 |
| cisco | smart_licensing_utility | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlGET /cslu/v1/scheduler/jobs HTTP/1.1
path/cslu/v1/scheduler/jobs
otherBasic Y3NsdS13aW5kb3dzLWNsaWVudDpMaWJyYXJ5NEMkTFU=
- →Detect exploitation attempts by monitoring HTTP requests to /cslu/v1/scheduler/jobs with the hardcoded Basic auth header value Y3NsdS13aW5kb3dzLWNsaWVudDpMaWJyYXJ5NEMkTFU=
- →Successful exploitation returns HTTP 200 with JSON body containing 'job_name' and 'current_status' fields and Content-Type application/json — alert on this response pattern combined with the hardcoded credential header
- →CVE-2024-20439 is actively chained with CVE-2024-20440 (CSLU information disclosure) — monitor for crafted HTTP requests to CSLU log file endpoints following successful backdoor login ↗
- →CVE-2024-20439 is only exploitable when the CSLU Windows application is actively running; hunt for CSLU process execution on internet-exposed Windows hosts as a precondition indicator ↗
- →Technical details including the decoded hardcoded static password were published by Nicholas Starke (StarkeBlog) shortly after Cisco's September 2024 patch — treat any authentication using the credential 'cslu-windows-client' as malicious ↗
- ·The vulnerability is only exploitable when the CSLU application is actively running; it does not run in the background by default, limiting the attack surface to active user sessions ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_cisco9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Cisco Smart Licensing Utility Static Credential Vulnerability
cisa·2025-03-31·CVSS 9.8
CVE-2024-20439 [CRITICAL] CWE-912 Cisco Smart Licensing Utility Static Credential Vulnerability
Vulnerability: Cisco Smart Licensing Utility Static Credential Vulnerability
Affected: Cisco Smart Licensing Utility
Cisco Smart Licensing Utility contains a static credential vulnerability that allows an unauthenticated, remote attacker to log in to an affected system and gain administrative credentials.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw ; https://nvd.nist.gov/vuln/detail/CVE-2024-20439
Remediation Due Date: 2025-04-21
Cisco
Cisco Smart Licensing Utility Vulnerabilities
vendor_cisco·2024-09-04·CVSS 9.8
CVE-2024-20439 [CRITICAL] CWE-532 Cisco Smart Licensing Utility Vulnerabilities
Cisco Smart Licensing Utility Vulnerabilities
Multiple vulnerabilities in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to collect sensitive information or administer Cisco Smart Licensing Utility services on a system while the software is running.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
For more information about these vulnerabilities, see the Details section of this advisory.
This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw
Cisco
Cisco Smart Licensing Utility Vulnerabilities
vendor_cisco·CVSS 3.1
CVE-2024-20439 Cisco Smart Licensing Utility Vulnerabilities
CVE-2024-20439: Cisco Smart Licensing Utility Vulnerabilities
Multiple vulnerabilities in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to collect sensitive information or administer Cisco Smart Licensing Utility services on a system while the software is running. Cisco has released software updates that address these vulnerabilities. There are no
CVSS: 3.1
CWE: CWE-532, CWE-912, CWE-532, CWE-912
Bug IDs: CSCwi41731, CSCwi47950, CSCwi41731, CSCwi47950
GHSA
GHSA-mcxm-8hr3-frmx: A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to log in to an affected system by using a static adm
ghsa_unreviewed·2024-09-04
CVE-2024-20439 [CRITICAL] CWE-798 GHSA-mcxm-8hr3-frmx: A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to log in to an affected system by using a static adm
A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to log in to an affected system by using a static administrative credential.
This vulnerability is due to an undocumented static user credential for an administrative account. An attacker could exploit this vulnerability by using the static credentials to log in to the affected system. A successful exploit could allow the attacker to log in to the affected system with administrative privileges over the API of the Cisco Smart Licensing Utility application.
VulnCheck
Cisco Smart Licensing Utility Static Credential Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-20439 [CRITICAL] CWE-912 Cisco Smart Licensing Utility Static Credential Vulnerability
Cisco Smart Licensing Utility Static Credential Vulnerability
Cisco Smart Licensing Utility contains a static credential vulnerability that allows an unauthenticated, remote attacker to log in to an affected system and gain administrative credentials.
Affected: Cisco Smart Licensing Utility
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://info.greynoise.io/hubfs/resources/GreyNoise-2025-Mass-Internet-Exploitation-Report.pdf; https://isc.sans.edu/diary/Exploit+Attempts+for+Cisco+Smart+Licensing+Utility+CVE202420439+and+CVE202420440/31782; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json;
Suricata
ET WEB_SPECIFIC_APPS Cisco Smart Licensing Utility API Hardcoded Admin Credentials (CVE-2024-20439)
suricata·2024-09-24·CVSS 9.8
CVE-2024-20439 [CRITICAL] ET WEB_SPECIFIC_APPS Cisco Smart Licensing Utility API Hardcoded Admin Credentials (CVE-2024-20439)
ET WEB_SPECIFIC_APPS Cisco Smart Licensing Utility API Hardcoded Admin Credentials (CVE-2024-20439)
Rule: alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Smart Licensing Utility API Hardcoded Admin Credentials (CVE-2024-20439)"; flow:established,to_server; http.uri; content:"/cslu/"; startswith; http.header; content:"Authorization|3a 20|Basic|20|Y3NsdS13aW5kb3dzLWNsaWVudDpMaWJyYXJ5NEMkTFU="; fast_pattern; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-20439.yaml; reference:cve,2024-20439; classtype:attempted-admin; sid:2056147; rev:1; metadata:affected_product Cisco_Smart_Licensing, attack_target Server, tls_state TLSDecrypt, created_at 2024_09_24, cve CVE_2024_20439, deployment Perimeter, deployment Internal, deployment
Nuclei
Hardcoded Admin Credentials For Cisco Smart Licensing Utility API
nuclei·CVSS 9.8
CVE-2024-20439 [CRITICAL] Hardcoded Admin Credentials For Cisco Smart Licensing Utility API
Hardcoded Admin Credentials For Cisco Smart Licensing Utility API
A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to log in to an affected system by using a static administrative credential.This vulnerability is due to an undocumented static user credential for an administrative account. An attacker could exploit this vulnerability by using the static credentials to log in to the affected system. A successful exploit could allow the attacker to log in to the affected system with administrative privileges over the API of the Cisco Smart Licensing Utility application.
Template:
id: CVE-2024-20439
info:
name: Hardcoded Admin Credentials For Cisco Smart Licensing Utility API
author: iamnoooob,parthmalhotra,pdresearch
severity: critical
descr
Bleepingcomputer
Cisco Webex bug lets hackers gain code execution via meeting links
blogs_bleepingcomputer·2025-04-18·CVSS 5.3
CVE-2025-20236 [MEDIUM] Cisco Webex bug lets hackers gain code execution via meeting links
## Cisco Webex bug lets hackers gain code execution via meeting links
## Sergiu Gatlan
Cisco has released security updates for a high-severity Webex vulnerability that allows unauthenticated attackers to gain client-side remote code execution using malicious meeting invite links.
Tracked as CVE-2025-20236, this security flaw was found in the Webex custom URL parser and can be exploited by tricking users into downloading arbitrary files, which lets threat actors execute arbitrary commands on systems running unpatched software in low complexity attacks.
"This vulnerability is due to insufficient input validation when Cisco Webex App processes a meeting invite link," Cisco explained in a security advisory released this week.
"An attacker could exploit this vulnerability by persuading a u
Checkpoint
7th April – Threat Intelligence Report
blogs_checkpoint·2025-04-07
CVE-2024-20439 7th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 7th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 7th April, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The second-largest bar association in the US, The State Bar of Texas, has experienced a ransomware attack that resulted in unauthorized access to its network, exposing sensitive member information including full names and legal case documents. The INC ransomware gang claimed responsibility for the attack and has already leaked
Bleepingcomputer
Cisco warns of CSLU backdoor admin account used in attacks
blogs_bleepingcomputer·2025-04-02·CVSS 9.8
CVE-2024-20439 [CRITICAL] Cisco warns of CSLU backdoor admin account used in attacks
## Cisco warns of CSLU backdoor admin account used in attacks
## Sergiu Gatlan
Cisco has warned admins to patch a critical Cisco Smart Licensing Utility (CSLU) vulnerability, which exposes a built-in backdoor admin account now used in attacks.
CSLU is a Windows app for managing licenses and linked products on-premises without connecting them to Cisco's cloud-based Smart Software Manager solution.
Cisco patched this security flaw (CVE-2024-20439) in September, describing it as "an undocumented static user credential for an administrative account" that lets unauthenticated attackers log into unpatched systems remotely with admin privileges over the Cisco Smart Licensing Utility (CSLU) app's API.
CVE-2024-20439 only impacts systems running vulnerable Cisco Smart Licensing Utility release
Checkpoint
23rd September – Threat Intelligence Report
blogs_checkpoint·2024-09-23
CVE-2024-8897 23rd September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 23rd September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 23rd September, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Medusa ransomware gang has claimed responsibility for an attack on the Providence Public School District (PPSD) in Rhode Island. The school district is still grappling with ongoing internet outages since September 11, impacting over 20,000 students across 37 schools. While the district has contacted law enforcement an
Bleepingcomputer
Cisco warns of backdoor admin account in Smart Licensing Utility
blogs_bleepingcomputer·2024-09-04·CVSS 9.8
CVE-2024-20439 [CRITICAL] Cisco warns of backdoor admin account in Smart Licensing Utility
## Cisco warns of backdoor admin account in Smart Licensing Utility
## Sergiu Gatlan
Cisco has removed a backdoor account in the Cisco Smart Licensing Utility (CSLU) that can be used to log into unpatched systems with administrative privileges.
CSLU is a Windows application that helps manage licenses and linked products on-premises without connecting them to Cisco's cloud-based Smart Software Manager solution.
The company says this critical vulnerability (CVE-2024-20439) allows unauthenticated attackers to log into unpatched systems remotely using an "undocumented static user credential for an administrative account."
"A successful exploit could allow the attacker to log in to the affected system with administrative privileges over the API of the Cisco Smart Licensing Utility applicat
Greynoiseio
NoiseLetter September 2024
blogs_greynoiseio
NoiseLetter September 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-09-04
Published
2025-03-31
Added to CISA KEV
Exploited in the wild