Cisco has warned admins to patch a important Cisco Sensible Licensing Utility (CSLU) vulnerability, which exposes a built-in backdoor admin account now utilized in assaults.
CSLU is a Home windows app for managing licenses and linked merchandise on-premises with out connecting them to Cisco’s cloud-based Sensible Software program Supervisor answer.
Cisco patched this safety flaw (CVE-2024-20439) in September, describing it as “an undocumented static consumer credential for an administrative account” that lets unauthenticated attackers log into unpatched programs remotely with admin privileges over the Cisco Sensible Licensing Utility (CSLU) app’s API.
CVE-2024-20439 solely impacts programs working weak Cisco Sensible Licensing Utility releases, nevertheless it’s solely exploitable if the consumer begins the CSLU app (which does not run within the background by default).
Aruba risk researcher Nicholas Starke reverse-engineered the vulnerability two weeks after Cisco launched safety patches and revealed a write-up with technical particulars (together with the decoded hardcoded static password).
“In March 2025, the Cisco Product Safety Incident Response Crew (PSIRT) turned conscious of tried exploitation of this vulnerability within the wild,” the corporate stated in a Tuesday replace to the unique safety advisory. “Cisco continues to strongly advocate that clients improve to a hard and fast software program launch to remediate this vulnerability.”
Chained with a second vulnerability
Whereas Cisco did not share any particulars on these assaults, Johannes Ullrich, SANS Expertise Institute’s Dean of Analysis, noticed a marketing campaign final month that used the backdoor admin account to assault CSLU situations uncovered on-line.
Ullrich stated in March that risk actors are chaining CVE-2024-20439 with a second flaw, a important CLSU data disclosure vulnerability (CVE-2024-20440) that unauthenticated attackers can exploit to realize entry to log information containing delicate knowledge (together with API credentials) by sending crafted HTTP requests to weak units.
“A fast search did not present any energetic exploitation [at the time], however particulars, together with the backdoor credentials, had been revealed in a weblog by Nicholas Starke shortly after Cisco launched its advisory. So it’s no shock that we’re seeing some exploit exercise,” Ullrich stated.
On Monday, CISA added the CVE-2024-20439 static credential vulnerability to its Identified Exploited Vulnerabilities Catalog, ordering U.S. federal businesses to safe their programs in opposition to energetic exploitation inside three weeks, by April 21.
This is not the primary backdoor account faraway from Cisco merchandise in recent times, with earlier hardcoded credentials present in its IOS XE, Broad Space Software Companies (WAAS), Digital Community Structure (DNA) Middle, and Emergency Responder software program.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the right way to defend in opposition to them.