What is Cisco Smart Licensing Utility?
Cisco Smart Licensing Utility (CSLU) is a Windows-based desktop application that acts as an intermediary between Cisco products and Cisco's Smart Software Manager (SSM) for managing software licenses. Organizations deploy CSLU when their Cisco devices cannot directly reach Cisco's cloud licensing servers — CSLU runs locally, collects license usage data from on-premises Cisco products, and reports to Cisco SSM. CSLU provides a REST API interface that Cisco products use to communicate license information. While not a network-perimeter device itself, CSLU runs on Windows machines with access to Cisco device management networks and can communicate with a wide range of Cisco infrastructure.
Overview
CVE-2024-20439 is a static (hardcoded) credential vulnerability (CWE-912) in Cisco Smart Licensing Utility. The application contains an undocumented static administrative credential that allows an unauthenticated remote attacker to log in to the CSLU API with administrative privileges. CSLU's REST API provides access to licensing data and configuration for all connected Cisco products. This vulnerability is chained with companion CVE-2024-20440 (an information disclosure vulnerability that exposes log files containing sensitive data, including credentials) — together they provide comprehensive unauthorized access to the CSLU system and the data it manages. CISA added both to the KEV catalog in March 2025, 7 months after Cisco's September 2024 patch.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Cisco Smart Licensing Utility | 2.0.0 | 2.3.0 |
| Cisco Smart Licensing Utility | 2.1.0 | 2.3.0 |
| Cisco Smart Licensing Utility | 2.2.0 | 2.3.0 |
Note: CSLU only processes connections when it is running. If CSLU is installed but not actively running, the vulnerable service is not exposed.
Technical Details
The static credential vulnerability (CWE-912) involves a hardcoded username and password baked into the CSLU application binary or configuration — credentials that are the same across all CSLU installations and cannot be changed by administrators. These undocumented credentials provide administrative access to CSLU's REST API, which is exposed on a local port when CSLU is running.
Exploitation requirements:
- Network access to the CSLU host on the API port (typically localhost or the host's network interfaces)
- CSLU must be running (it does not run as a persistent service by default — it must be started manually or via a scheduled task)
CVE-2024-20440 chaining: The companion vulnerability exposes CSLU log files via an unauthenticated API endpoint. These logs may contain:
- Credentials used by Cisco devices to authenticate to CSLU
- License data and usage information for all connected Cisco products
- Network topology information about connected Cisco infrastructure
Administrative API access via static credential: With the static credential, an attacker can:
- Read all license data for connected Cisco products
- Potentially modify license records
- Access configuration data about the Cisco product estate
Discovery
Discovered by security researchers and reported to Cisco through the responsible disclosure process. Cisco credited the reporters in the advisory but did not name them publicly.
Exploitation Context
CISA added CVE-2024-20439 to the KEV catalog on March 31, 2025, seven months after the September 2024 patch. The long gap suggests exploitation occurred after the static credential was discovered through binary analysis of the CSLU application and the credential was published or shared in attacker communities. CSLU runs in environments with access to Cisco device management networks, making it a useful lateral movement target for attackers who have already gained a foothold on a corporate network.
Remediation
- Upgrade Cisco Smart Licensing Utility to version 2.3.0 immediately. The CISA deadline was April 21, 2025.
- Stop CSLU when not in active use — CSLU is not required to run continuously; run it only when performing license management tasks, which limits the exposure window.
- Restrict network access to the CSLU host — firewall the CSLU API port to allow connections only from legitimate Cisco devices and authorized administrators.
- Also patch CVE-2024-20440 (information disclosure) — both vulnerabilities are addressed in CSLU 2.3.0 and should be remediated together.
- Audit CSLU logs for unexpected API access from unusual source IP addresses during the September 2024–March 2025 exposure window.
- Rotate credentials for Cisco devices that authenticate to CSLU if exploitation is suspected.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2024-20439 |
| Vendor / Product | Cisco — Smart Licensing Utility |
| NVD Published | 2024-09-04 |
| NVD Last Modified | 2025-10-28 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-912 find similar ↗ |
| CISA KEV Added | 2025-03-31 |
| CISA KEV Deadline | 2025-04-21 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2024-09-04 | Cisco publishes advisory; Cisco Smart Licensing Utility 2.3.0 released with fix |
| 2025-03-31 | CISA adds to KEV (7 months after patch — active exploitation confirmed) |
| 2025-04-21 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Cisco Security Advisory — Cisco Smart Licensing Utility Vulnerabilities | Vendor Advisory |
| NVD — CVE-2024-20439 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |