cbcvebase.
CVE-2024-20440
published 2024-09-04

CVE-2024-20440: A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to access sensitive information. This vulnerability is due to…

PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
51.47%
98.8th percentile
A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to access sensitive information. This vulnerability is due to excessive verbosity in a debug log file. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain log files that contain sensitive data, including credentials that can be used to access the API.

Affected

7 ranges
VendorProductVersion rangeFixed in
ciscocisco_smart_license_utility
ciscocisco_smart_license_utility
ciscocisco_smart_license_utility
ciscosmart_license_utility
ciscosmart_license_utility
ciscosmart_license_utility
ciscosmart_licensing_utility

Detection & IOCsextracted from sources · hover to see the quote

path/cslu/v1/var/logs/customer-cslu-lib-log.log
filenamecustomer-cslu-lib-log.log
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Smart Licensing Utility customer-cslu-lib-log.log Access Attempt (CVE-2024-20440)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:43; content:"/cslu/v1/var/logs/customer-cslu-lib-log.log"; fast_pattern; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-20440.yaml; reference:cve,2024-20440; classtype:credential-theft; sid:2056028; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_09_20, cve CVE_2024_20440, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_09_20; target:dest_ip;)
  • Detect unauthenticated HTTP GET requests to the exact URI path /cslu/v1/var/logs/customer-cslu-lib-log.log (bsize:43) — this is the crafted request used to exploit CVE-2024-20440 and retrieve the debug log file containing plaintext credentials.
  • Match HTTP response Content-Type of 'text/x-log' combined with body containing 'csluev.log' and HTTP 200 status — this confirms successful log file retrieval from a vulnerable CSLU instance.
  • CVE-2024-20440 is actively chained with CVE-2024-20439 (backdoor static admin credential); correlate log-access attempts against the CSLU API with subsequent authenticated API calls using credentials harvested from the log file.
  • The vulnerability is only exploitable when the CSLU Windows application is actively running (it does not run in the background by default); detection should focus on hosts where the CSLU process is active and the API port is reachable from untrusted networks.
  • ·The Snort/ET rule (sid:2056028) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to inspect HTTPS traffic to CSLU; without SSL inspection, the URI-based detection will miss encrypted exploit attempts.
  • ·The URI bsize match is set to exactly 43 bytes; any URL encoding or path variation by an attacker could evade this specific signature and may require supplementary detections.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
vendor_cisco9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.