cbcvebase.
CVE-2024-20439
published 2024-09-04

CVE-2024-20439: A vulnerability in Cisco Smart Licensing Utility (CSLU) could allow an unauthenticated, remote attacker to log into an affected system by using a static…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-04-21
Exploited in the wild
EPSS
92.01%
99.8th percentile
A vulnerability in Cisco Smart Licensing Utility (CSLU) could allow an unauthenticated, remote attacker to log into an affected system by using a static administrative credential. This vulnerability is due to an undocumented static user credential for an administrative account. An attacker could exploit this vulnerability by using the static credentials to login to the affected system. A successful exploit could allow the attacker to login to the affected system with administrative rights over the CSLU application API.

Affected

5 ranges
VendorProductVersion rangeFixed in
ciscocisco_smart_license_utility
ciscocisco_smart_license_utility
ciscocisco_smart_license_utility
ciscosmart_license_utility>= 2.0.0 < 2.3.02.3.0
ciscosmart_licensing_utility

Detection & IOCsextracted from sources · hover to see the quote

urlGET /cslu/v1/scheduler/jobs HTTP/1.1
path/cslu/v1/scheduler/jobs
otherBasic Y3NsdS13aW5kb3dzLWNsaWVudDpMaWJyYXJ5NEMkTFU=
  • Detect exploitation attempts by monitoring HTTP requests to /cslu/v1/scheduler/jobs with the hardcoded Basic auth header value Y3NsdS13aW5kb3dzLWNsaWVudDpMaWJyYXJ5NEMkTFU=
  • Successful exploitation returns HTTP 200 with JSON body containing 'job_name' and 'current_status' fields and Content-Type application/json — alert on this response pattern combined with the hardcoded credential header
  • CVE-2024-20439 is actively chained with CVE-2024-20440 (CSLU information disclosure) — monitor for crafted HTTP requests to CSLU log file endpoints following successful backdoor login
  • CVE-2024-20439 is only exploitable when the CSLU Windows application is actively running; hunt for CSLU process execution on internet-exposed Windows hosts as a precondition indicator
  • Technical details including the decoded hardcoded static password were published by Nicholas Starke (StarkeBlog) shortly after Cisco's September 2024 patch — treat any authentication using the credential 'cslu-windows-client' as malicious
  • ·The vulnerability is only exploitable when the CSLU application is actively running; it does not run in the background by default, limiting the attack surface to active user sessions

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_cisco9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.