CVE-2024-20440
published 2024-09-04CVE-2024-20440: A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to access sensitive information. This vulnerability is due to…
PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
51.47%
98.8th percentile
A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to access sensitive information.
This vulnerability is due to excessive verbosity in a debug log file. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain log files that contain sensitive data, including credentials that can be used to access the API.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_smart_license_utility | — | — |
| cisco | cisco_smart_license_utility | — | — |
| cisco | cisco_smart_license_utility | — | — |
| cisco | smart_license_utility | — | — |
| cisco | smart_license_utility | — | — |
| cisco | smart_license_utility | — | — |
| cisco | smart_licensing_utility | — | — |
Detection & IOCsextracted from sources · hover to see the quote
filenamecustomer-cslu-lib-log.log
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Smart Licensing Utility customer-cslu-lib-log.log Access Attempt (CVE-2024-20440)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:43; content:"/cslu/v1/var/logs/customer-cslu-lib-log.log"; fast_pattern; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-20440.yaml; reference:cve,2024-20440; classtype:credential-theft; sid:2056028; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_09_20, cve CVE_2024_20440, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_09_20; target:dest_ip;)
- →Detect unauthenticated HTTP GET requests to the exact URI path /cslu/v1/var/logs/customer-cslu-lib-log.log (bsize:43) — this is the crafted request used to exploit CVE-2024-20440 and retrieve the debug log file containing plaintext credentials. ↗
- →Match HTTP response Content-Type of 'text/x-log' combined with body containing 'csluev.log' and HTTP 200 status — this confirms successful log file retrieval from a vulnerable CSLU instance.
- →CVE-2024-20440 is actively chained with CVE-2024-20439 (backdoor static admin credential); correlate log-access attempts against the CSLU API with subsequent authenticated API calls using credentials harvested from the log file. ↗
- →The vulnerability is only exploitable when the CSLU Windows application is actively running (it does not run in the background by default); detection should focus on hosts where the CSLU process is active and the API port is reachable from untrusted networks. ↗
- ·The Snort/ET rule (sid:2056028) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to inspect HTTPS traffic to CSLU; without SSL inspection, the URI-based detection will miss encrypted exploit attempts.
- ·The URI bsize match is set to exactly 43 bytes; any URL encoding or path variation by an attacker could evade this specific signature and may require supplementary detections.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
vendor_cisco9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g9j7-w55p-jq3w: A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to access sensitive information
ghsa_unreviewed·2024-09-04
CVE-2024-20440 [HIGH] CWE-532 GHSA-g9j7-w55p-jq3w: A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to access sensitive information
A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to access sensitive information.
This vulnerability is due to excessive verbosity in a debug log file. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain log files that contain sensitive data, including credentials that can be used to access the API.
VulnCheck
Cisco Smart Licensing Utility Insertion of Sensitive Information into Log File
vulncheck·2024·CVSS 7.5
CVE-2024-20440 [HIGH] Cisco Smart Licensing Utility Insertion of Sensitive Information into Log File
Cisco Smart Licensing Utility Insertion of Sensitive Information into Log File
A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to access sensitive information.
This vulnerability is due to excessive verbosity in a debug log file. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain log files that contain sensitive data, including credentials that can be used to access the API.
Affected: Cisco Smart Licensing Utility
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explore
Cisco
Cisco Smart Licensing Utility Vulnerabilities
vendor_cisco·2024-09-04·CVSS 9.8
CVE-2024-20439 [CRITICAL] CWE-532 Cisco Smart Licensing Utility Vulnerabilities
Cisco Smart Licensing Utility Vulnerabilities
Multiple vulnerabilities in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to collect sensitive information or administer Cisco Smart Licensing Utility services on a system while the software is running.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
For more information about these vulnerabilities, see the Details section of this advisory.
This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw
Cisco
Cisco Smart Licensing Utility Vulnerabilities
vendor_cisco·CVSS 3.1
CVE-2024-20440 Cisco Smart Licensing Utility Vulnerabilities
CVE-2024-20440: Cisco Smart Licensing Utility Vulnerabilities
Multiple vulnerabilities in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to collect sensitive information or administer Cisco Smart Licensing Utility services on a system while the software is running. Cisco has released software updates that address these vulnerabilities. There are no
CVSS: 3.1
CWE: CWE-532, CWE-912, CWE-532, CWE-912
Bug IDs: CSCwi41731, CSCwi47950, CSCwi41731, CSCwi47950
Suricata
ET WEB_SPECIFIC_APPS Cisco Smart Licensing Utility customer-cslu-lib-log.log Access Attempt (CVE-2024-20440)
suricata·2024-09-20·CVSS 7.5
CVE-2024-20440 [HIGH] ET WEB_SPECIFIC_APPS Cisco Smart Licensing Utility customer-cslu-lib-log.log Access Attempt (CVE-2024-20440)
ET WEB_SPECIFIC_APPS Cisco Smart Licensing Utility customer-cslu-lib-log.log Access Attempt (CVE-2024-20440)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Smart Licensing Utility customer-cslu-lib-log.log Access Attempt (CVE-2024-20440)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:43; content:"/cslu/v1/var/logs/customer-cslu-lib-log.log"; fast_pattern; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-20440.yaml; reference:cve,2024-20440; classtype:credential-theft; sid:2056028; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_09_20, cve CVE_2024_20440, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, sign
Nuclei
Cisco Smart Licensing Utility UnAuthenticated Logs Exposure Leaking Plaintext Credentials
nuclei·CVSS 7.5
CVE-2024-20440 [HIGH] Cisco Smart Licensing Utility UnAuthenticated Logs Exposure Leaking Plaintext Credentials
Cisco Smart Licensing Utility UnAuthenticated Logs Exposure Leaking Plaintext Credentials
A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to access sensitive information.This vulnerability is due to excessive verbosity in a debug log file. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain log files that contain sensitive data, including credentials that can be used to access the API.
Template:
id: CVE-2024-20440
info:
name: Cisco Smart Licensing Utility UnAuthenticated Logs Exposure Leaking Plaintext Credentials
author: iamnoooob,parthmalhotra,pdresearch
severity: high
description: |
A vulnerability in Cisco Smart Licensing Utility
Checkpoint
7th April – Threat Intelligence Report
blogs_checkpoint·2025-04-07
CVE-2024-20439 7th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 7th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 7th April, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The second-largest bar association in the US, The State Bar of Texas, has experienced a ransomware attack that resulted in unauthorized access to its network, exposing sensitive member information including full names and legal case documents. The INC ransomware gang claimed responsibility for the attack and has already leaked
Bleepingcomputer
Cisco warns of CSLU backdoor admin account used in attacks
blogs_bleepingcomputer·2025-04-02·CVSS 9.8
CVE-2024-20439 [CRITICAL] Cisco warns of CSLU backdoor admin account used in attacks
## Cisco warns of CSLU backdoor admin account used in attacks
## Sergiu Gatlan
Cisco has warned admins to patch a critical Cisco Smart Licensing Utility (CSLU) vulnerability, which exposes a built-in backdoor admin account now used in attacks.
CSLU is a Windows app for managing licenses and linked products on-premises without connecting them to Cisco's cloud-based Smart Software Manager solution.
Cisco patched this security flaw (CVE-2024-20439) in September, describing it as "an undocumented static user credential for an administrative account" that lets unauthenticated attackers log into unpatched systems remotely with admin privileges over the Cisco Smart Licensing Utility (CSLU) app's API.
CVE-2024-20439 only impacts systems running vulnerable Cisco Smart Licensing Utility release
Bleepingcomputer
Cisco warns of backdoor admin account in Smart Licensing Utility
blogs_bleepingcomputer·2024-09-04·CVSS 9.8
CVE-2024-20439 [CRITICAL] Cisco warns of backdoor admin account in Smart Licensing Utility
## Cisco warns of backdoor admin account in Smart Licensing Utility
## Sergiu Gatlan
Cisco has removed a backdoor account in the Cisco Smart Licensing Utility (CSLU) that can be used to log into unpatched systems with administrative privileges.
CSLU is a Windows application that helps manage licenses and linked products on-premises without connecting them to Cisco's cloud-based Smart Software Manager solution.
The company says this critical vulnerability (CVE-2024-20439) allows unauthenticated attackers to log into unpatched systems remotely using an "undocumented static user credential for an administrative account."
"A successful exploit could allow the attacker to log in to the affected system with administrative privileges over the API of the Cisco Smart Licensing Utility applicat
2024-09-04
Published
Exploited in the wild