Critical Cisco CSLU Security Vulnerability Under Active Exploitation

Cisco has confirmed that serious security vulnerabilities in its Smart Licensing Utility (CSLU) are currently being exploited in real-world cyberattacks. The company is strongly urging customers to immediately apply the latest software updates that address these critical security flaws, as attackers can potentially gain administrator privileges through these vulnerabilities.

Details of the Critical Vulnerabilities

In September 2024, Cisco disclosed a severe vulnerability tracked as CVE-2024-20439 affecting CSLU software. This critical flaw involves hardcoded administrator credentials embedded within the application, allowing unauthorized remote attackers to access systems with administrator privileges through the CSLU API.

The vulnerability impacts CSLU versions 2.0.0 through 2.2.0 and can only be exploited when CSLU is manually executed, as the program does not automatically run in the background by default.

A second vulnerability, CVE-2024-20440, was discovered simultaneously. This security flaw involves excessive information being recorded in debug log files, enabling unauthenticated attackers to view sensitive information, including API credentials, by sending specially crafted HTTP requests. This vulnerability also affects CSLU versions 2.0.0 through 2.2.0.

Confirmed Exploitation in the Wild

In March 2025, Cisco’s Product Security Incident Response Team (PSIRT) confirmed evidence that these vulnerabilities are being actively exploited. Johannes Ullrich from the SANS Technology Institute reported capturing instances where attackers are using both vulnerabilities in combination to target internet-exposed CSLU instances, attempting to steal administrator privileges and extract sensitive information.

Government Response

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-20439 to its “Known Exploited Vulnerabilities Catalog” and directed federal agencies to remediate this vulnerability by April 21, 2025.

Mitigation Recommendations

Cisco is currently distributing updated software versions that resolve these vulnerabilities and strongly recommends customers apply these updates immediately.

Security experts advise organizations that cannot immediately apply patches to implement temporary measures, including:

• Network segmentation to limit external access
• Continuous monitoring of administrator access logs
• Re-evaluation of application runtime environments
• Assessment of overall security architecture

Protecting Your Systems

Organizations using Cisco CSLU should take immediate action to protect their systems from these actively exploited vulnerabilities. The combination of hardcoded credentials and information leakage makes these flaws particularly dangerous, as they provide attackers with multiple vectors to compromise systems.

About Cisco CSLU

Cisco Smart Licensing Utility (CSLU) is a software tool that helps organizations manage and track their Cisco product licenses. It serves as an intermediary between Cisco products and Cisco’s Smart Software Manager, enabling automated license registration, consumption reporting, and compliance monitoring without requiring direct internet access from all devices.