CVE-2024-20439

CVSS 9.8 CRITICALEPSS 92.0%● KEVCWE-912

In short

Cisco Smart Licensing Utility has a hidden default admin password that anyone on the internet can use to log in and take full control of the system without needing legitimate credentials.

Technical detail

CVE-2024-20439 exploits an undocumented static administrative credential in CSLU's authentication mechanism (CWE-912: Hidden Functionality). An unauthenticated remote attacker can leverage this hardcoded credential via the application API to gain administrative access without requiring prior authentication or authorization. Successful exploitation grants full administrative control over the CSLU application and its API endpoints.

Summary generated and translated by AI from the official description.

A vulnerability in Cisco Smart Licensing Utility (CSLU) could allow an unauthenticated, remote attacker to log into an affected system by using a static administrative credential. This vulnerability is due to an undocumented static user credential for an administrative account. An attacker could exploit this vulnerability by using the static credentials to login to the affected system. A successful exploit could allow the attacker to login to the affected system with administrative rights over the CSLU application API.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Cisco · Cisco Smart License Utility

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-20439