Cisco’s Smart Licensing Utility (CSLU) is being targeted by attackers due to two critical flaws that expose a built-in backdoor admin account and allow unauthenticated access to sensitive data. The vulnerabilities, CVE-2024-20439 and CVE-2024-20440, were patched by Cisco in September but have been chained together by threat actors in exploitation attempts.
CSLU is a Windows application used for managing licenses and linked products on-premises without connecting them to Cisco’s cloud-based Smart Software Manager solution. The backdoor admin account allows attackers to log into unpatched systems remotely with admin privileges over the API of the CSLU app, while the second vulnerability enables access to log files containing sensitive data.
Aruba threat researcher Nicholas Starke reverse-engineered the vulnerability and published a write-up with technical details, including the decoded hardcoded static password. SANS Technology Institute’s Dean of Research Johannes Ullrich reported that threat actors are now chaining these two security flaws in exploitation attempts targeting CSLU instances exposed on the internet.
While the end goal of these attacks is not known, Cisco’s security advisory states that its Product Security Incident Response Team (PSIRT) has found no evidence that threat actors exploit the two security flaws in attacks. However, this does not necessarily mean that attackers will not attempt to use these vulnerabilities in future attacks.
This incident highlights the importance of keeping software up-to-date and ensuring that all systems are patched against known vulnerabilities. Cisco’s repeated introduction of backdoor accounts in its products is also a concern, as seen in previous incidents involving Digital Network Architecture (DNA) Center, IOS XE, Wide Area Application Services (WAAS), and Emergency Responder software.
Source: https://www.bleepingcomputer.com/news/security/critical-cisco-smart-licensing-utility-flaws-now-exploited-in-attacks