2 Critical Cisco Flaws Under Active Exploitation in Smart Licensing Utility

Introduction

Cyber attackers are actively exploiting two critical vulnerabilities in Cisco Smart Licensing Utility (CSLU), according to the SANS Internet Storm Center. These security flaws, which have now been patched, could allow attackers to gain administrative access and extract sensitive credentials through crafted HTTP requests.

The Vulnerabilities in Detail

The two critical vulnerabilities being exploited are:

1. CVE-2024-20439 (CVSS score: 9.8)
   • This flaw involves an undocumented static user credential for an administrative account.
   • Attackers can leverage this credential to log in with admin privileges and gain full control over the affected system.
2. CVE-2024-20440 (CVSS score: 9.8)
   • This vulnerability arises from verbose debug log files that store sensitive information.
   • By sending a crafted HTTP request, attackers can access these log files and extract API credentials, allowing further exploitation.

Impact of the Vulnerabilities

Successful exploitation of these flaws could allow threat actors to:

• Log in with administrative privileges on vulnerable systems.
• Extract sensitive log data containing authentication credentials.
• Use stolen API credentials to launch further attacks or gain persistent access.

However, the vulnerabilities can only be exploited if the Cisco Smart Licensing Utility is actively running, making it crucial for organizations using vulnerable versions to take immediate action.

Affected Versions and Patches

The vulnerabilities impact the following CSLU versions:

• 2.0.0
• 2.1.0
• 2.2.0

Cisco released patches in September 2024 to address these flaws.

• Version 2.3.0 of CSLU is not vulnerable to the two bugs.

Ongoing Exploitation in the Wild

As of March 2025, attackers have been seen actively exploiting these vulnerabilities.
According to Johannes B. Ullrich, Dean of Research at SANS Technology Institute, threat actors are also weaponizing other flaws, including:

• CVE-2024-0305 – An information disclosure vulnerability in Guangzhou Yingke Electronic Technology Ncast (CVSS score: 5.3).

The end goal of the campaign and the identities of the attackers remain unknown, but the active exploitation highlights the urgency for organizations to apply patches immediately.

How to Protect Your Systems

To mitigate the risk of exploitation:

1. Update to Cisco Smart Licensing Utility 2.3.0 – This version is not vulnerable to the two flaws.
2. Apply the September 2024 patches – If you are using CSLU versions 2.0.0, 2.1.0, or 2.2.0, ensure you have installed the latest security updates.
3. Disable unused services – If CSLU is not in use, consider disabling it to minimize the attack surface.
4. Monitor for suspicious activity – Implement intrusion detection systems (IDS) to identify potential exploitation attempts.

Conclusion

The active exploitation of Cisco Smart Licensing Utility vulnerabilities demonstrates how attackers rapidly weaponize newly disclosed flaws. Organizations must apply the patches immediately to protect their networks from potential breaches.
By keeping systems up to date and monitoring for suspicious activity, businesses can reduce their exposure to these and future security threats.