CVE-2024-20439
Published: 04 September 2024
Summary
CVE-2024-20439 is a critical-severity Hidden Functionality (CWE-912) vulnerability in Cisco Smart License Utility. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2024-20439 is a vulnerability in Cisco Smart Licensing Utility (CSLU) stemming from an undocumented static administrative credential. The flaw, tracked under CWE-798 and CWE-912, permits unauthenticated remote access to the CSLU application API with full administrative privileges and carries a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can exploit the hardcoded credential to log directly into an affected CSLU instance. Successful exploitation grants administrative control over the licensing utility's API, enabling arbitrary actions within the application without any user interaction or prior authentication.
The Cisco Security Advisory at sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw and the CISA Known Exploited Vulnerabilities catalog both address the issue, with CISA listing the CVE as actively exploited in the wild. The associated EPSS score stands at 0.8715, indicating substantial exploitation likelihood.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-18154
Vulnerability details
A vulnerability in Cisco Smart Licensing Utility (CSLU) could allow an unauthenticated, remote attacker to log into an affected system by using a static administrative credential. This vulnerability is due to an undocumented static user credential for an administrative account.…
more
An attacker could exploit this vulnerability by using the static credentials to login to the affected system. A successful exploit could allow the attacker to login to the affected system with administrative rights over the CSLU application API.
- CWE(s)
- KEV Date Added
- 31 March 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires management of authenticators to prohibit undocumented static credentials such as the hardcoded administrative account in CSLU.
Enforces approved access mechanisms so that the static credential cannot be used to obtain unauthorized administrative API access.
Requires formal account management processes that would detect and eliminate the undocumented static administrative account before deployment.