A vulnerability in Cisco Smart Licensing Utility (CSLU) could allow an unauthenticated, remote attacker to log into an affected system by using a static administrative credential. This vulnerability is due to an undocumented static user credential for an administrative account. An attacker could exploit this vulnerability by using the static credentials to login to the affected system. A successful exploit could allow the attacker to login to the affected system with administrative rights over the CSLU application API.
The CSLU application code contains a static, undocumented administrative account with an immutable password (CWE-912: hidden functionality, CWE-798: hardcoded credentials). An attacker who obtains these credentials can send a login request to the application's API interface without any prior authorization. Because the credentials are identical across all CSLU installations, every network-accessible vulnerable instance is equally exposed. The attack requires no user interaction or special network conditions.
An attacker gains full administrative access to the Cisco Smart Licensing Utility API interface, enabling reading and modification of licensing configuration and potentially serving as an entry point for further lateral movement within the organization's network.
Apply patches available from the vendor according to the references — detailed information about patched versions is contained in the Cisco advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw. Until the patch is deployed, it is recommended to restrict network access to the CSLU API interface exclusively to trusted hosts (firewall, ACL).
Cisco Smart Licensing Utility (CSLU) — versions indicated in the vendor's references (Cisco advisory cisco-sa-cslu-7gHMzWmw)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCisco Smart License Utility
APPCisco2.0.0 – 2.3.0 (bez)
CISA KEV — detailsi
- Vendori
- Cisco ↗
- Producti
- Smart Licensing Utility
- Added to KEVi
- March 31, 2025
- Remediation deadline (US Federal)i
- April 21, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Cisco Smart Licensing Utility contains a static credential vulnerability that allows an unauthenticated, remote attacker to log in to an affected system and gain administrative credentials.
Related vulnerabilities
A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to access sen...
Cisco Catalyst SD-WAN — pominięcie uwierzytelnienia z dostępem administracyjnym
RCE przez insecure deserialization w Cisco Secure Firewall Management Center
Cisco Catalyst SD-WAN — ominięcie uwierzytelnienia peering i przejęcie uprawnień
RCE z uprawnieniami root w Cisco Secure Email Gateway i Secure Email and Web Manager