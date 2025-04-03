CVE-2024-20439, a static credential vulnerability in the Cisco Smart Licensing Utility, is being exploited by attackers in the wild, CISA has confirmed on Monday by adding the flaw to its Known Exploited Vulnerabilities catalog.

Cisco has followed up with a confirmation by updating the security advisory covering CVE-2024-20439 and CVE-2024-20440, an information disclosure flaw in the same software.

“In March 2025, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild,” the company said.

All this came two weeks after Johannes Ullrich, Dean of Research at the SANS Technology Institute, flagged exploit attempts of CVE-2024-20439 (and possibly CVE-2024-20440).

About CVE-2024-20439 and CVE-2024-20440

Cisco Smart License Utility Manager (CSLU) is a Windows and Linux application that’s used by Cisco customers to administer licenses and associated Product Instances from their premises.

CVE-2024-20439 and CVE-2024-20440 have been publicly disclosed by Cisco in early September 2024, when they released version 2.3.0 of the software that included fixes for both. The company urged customers to upgrade to it as a workaround wasn’t available.

CVE-2024-20439 allows unauthenticated, remote attackers to log in to an affected system by using a static administrative credential. “A successful exploit could allow the attacker to log in to the affected system with administrative privileges over the API of the Cisco Smart Licensing Utility application,” the company explained.

CVE-2024-20440 allows unauthenticated, remote attackers to obtain log files (and sensitive data in them, e.g. API credentials) by sending a crafted HTTP request to an affected device.

The good news is that the flaws could only be exploited if the utility was actively running. The bad news is that the vulnerabilities could be exploited independently from one another.

But while security researcher Nicholas Starke released a write-up on CVE-2024-20439 and the static admin credential in question in late September 2024, it took until March 2025 for security researchers to spot exploitation attempts.

What to do?

Whether these attemps have been successful is unknown, though CVE-2024-20439’s inclusion in CISA’s KEV catalog would suggest at least some have.

CISA has given US federal agencies until April 21 to “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”

Other Cisco customers that use the utility are advised to upgrade it to the fixed version.

