Vulnerability Details : CVE-2024-20439
A vulnerability in Cisco Smart Licensing Utility (CSLU) could allow an unauthenticated, remote attacker to log into an affected system by using a static administrative credential.
This vulnerability is due to an undocumented static user credential for an administrative account. An attacker could exploit this vulnerability by using the static credentials to login to the affected system. A successful exploit could allow the attacker to login to the affected system with administrative rights over the CSLU application API.
Products affected by CVE-2024-20439
- cpe:2.3:a:cisco:cisco_smart_license_utility:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:cisco_smart_license_utility:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:cisco_smart_license_utility:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:smart_license_utility:*:*:*:*:*:*:*:*
CVE-2024-20439 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Cisco Smart Licensing Utility Static Credential Vulnerability
CISA required action:
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA description:
Cisco Smart Licensing Utility contains a static credential vulnerability that allows an unauthenticated, remote attacker to log in to an affected system and gain administrative credentials.
Notes:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw ; https://nvd.nist.gov/vuln/detail/CVE-2024-20439
Added on
2025-03-31
Action due date
2025-04-21
Exploit prediction scoring system (EPSS) score for CVE-2024-20439
88.88%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2024-20439
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
N/A
|
N/A
|
Cisco:cisco-sa-cslu-7gHMzWmw | 2024-09-04 |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | 2024-09-13 |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
Cisco Systems, Inc. | 2025-04-01 |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
Cisco Systems, Inc. | 2024-09-04 |
CWE ids for CVE-2024-20439
-
The product contains hard-coded credentials, such as a password or cryptographic key.Assigned by: nvd@nist.gov (Primary)
-
The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.Assigned by:
- d1c1063e-7a18-46af-9102-31f8928bc633 (Primary)
- psirt@cisco.com (Secondary)
- ykramarz@cisco.com (Secondary)
References for CVE-2024-20439
-
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw
Cisco Smart Licensing Utility VulnerabilitiesVendor Advisory
Jump to