Cisco has issued an urgent warning to administrators following active exploitation of a critical vulnerability (CVE-2024-20439) in its Smart Licensing Utility (CSLU), according to BleepingComputer.
This flaw, caused by an undocumented static admin credential, allows unauthenticated attackers to gain remote admin access to vulnerable systems. Despite being patched in September 2024, exploitation attempts were reported in March 2025, prompting Cisco to reinforce its call for immediate updates. This flaw allows unauthenticated attackers to gain remote administrative access via the CSLU API.
Cisco, which patched the issue in September 2024, confirmed exploitation attempts in March 2025 and has urged all users to apply the fix immediately. The situation has worsened as attackers reportedly chain CVE-2024-20439 with a second vulnerability, CVE-2024-20440, to gain access to log files containing API credentials and other sensitive information.
In response, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-20439 to its Known Exploited Vulnerabilities catalog and ordered U.S. federal agencies to patch systems by April 21, 2025. Although the CSLU app does not run by default, any instance left exposed can serve as an entry point for attackers, especially when paired with the info disclosure bug.
Cisco has faced similar backdoor issues in the past across platforms like IOS XE, WAAS, and DNA Center. This latest incident reinforces the urgent need for security hygiene, network segmentation, and restricting access to CSLU instances.
