In a recent revelation, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed the exploitation of CVE-2024-20439, a static credential vulnerability found in the Cisco Smart Licensing Utility. This alarming discovery has prompted CISA to add the flaw to its Known Exploited Vulnerabilities catalog, indicating that attackers have been actively taking advantage of this security vulnerability in the wild.
Following CISA’s announcement, Cisco has issued a confirmation and has updated its security advisory to address not only CVE-2024-20439 but also CVE-2024-20440, an information disclosure flaw within the same software. The Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of CVE-2024-20439 in March 2025, highlighting the urgency of addressing these vulnerabilities.
The exploitation of CVE-2024-20439 and possibly CVE-2024-20440 was brought to light by Johannes Ullrich, the Dean of Research at the SANS Technology Institute, who flagged the exploit attempts in a recent report. These vulnerabilities pose a serious threat to the security and integrity of Cisco customers using the Smart License Utility Manager (CSLU) application to manage licenses and product instances.
CVE-2024-20439 allows remote attackers to access an affected system using a static administrative credential, granting them unauthorized access with administrative privileges. On the other hand, CVE-2024-20440 enables attackers to retrieve sensitive data, such as API credentials, by sending a specially crafted HTTP request to the targeted device.
While Cisco had released a patched version of the software (2.3.0) in September 2024 to address these vulnerabilities, it was only in March 2025 that security researchers observed exploitation attempts in the wild. It is essential for Cisco customers to upgrade to the latest version of the software to mitigate the risk posed by these vulnerabilities.
The vulnerabilities can only be exploited when the utility is actively running, but they can be exploited independently of each other, increasing the potential threat to affected systems. Security researcher Nicholas Starke had previously highlighted the static admin credential issue in CVE-2024-20439, emphasizing the importance of addressing these vulnerabilities promptly.
In response to these cybersecurity threats, CISA has issued a directive for US federal agencies to apply mitigations as per vendor instructions, follow relevant guidance for cloud services, or discontinue the use of the product if necessary by April 21. This underscores the critical nature of addressing these vulnerabilities to prevent further exploitation and potential data breaches.
In conclusion, the exploitation of CVE-2024-20439 and CVE-2024-20440 underscores the importance of proactive cybersecurity measures and timely software updates to mitigate the risks posed by such vulnerabilities. It is crucial for organizations using the Cisco Smart Licensing Utility to prioritize security updates and follow best practices to safeguard their systems against potential cyber threats.