Cisco patched this security flaw (tracked as CVE-2024-20439) in September, describing it as "an undocumented static user credential for an administrative account" that can let unauthenticated attackers log into unpatched systems remotely with admin privileges over the API of the CSLU app. Aruba threat researcher Nicholas Starke reverse-engineered the vulnerability and published a write-up with technical details (including the decoded hardcoded static password) roughly two weeks after Cisco released security patches. CVE-2024-20439 isn't the first backdoor account Cisco removed from its products in recent years, with previous hardcoded credentials found in the company's Digital Network Architecture (DNA) Center, IOS XE, Wide Area Application Services (WAAS), and Emergency Responder software. Cisco's security advisory for CVE-2024-20439 and CVE-2024-20440 still says that its Product Security Incident Response Team (PSIRT) has found no evidence that threat actors exploit the two security flaws in attacks. While the end goal of these attacks is not known, the threat actor behind them is also trying to exploit other security vulnerabilities, including what looks like an information disclosure flaw with a public proof-of-concept exploit (CVE-2024-0305) impacting Guangzhou Yingke Electronic DVRs. Attackers have started targeting Cisco Smart Licensing Utility (CSLU) instances unpatched against a vulnerability exposing a built-in backdoor admin account. SANS Technology Institute's Dean of Research Johannes Ullrich reported that threat actors are now chaining the two security flaws in exploitation attempts targeting CSLU instances exposed on the Internet. These two vulnerabilities only impact systems running vulnerable Cisco Smart Licensing Utility releases and are only exploitable if the user starts the CSLU app—which isn't designed to run in the background by default. "A quick search didn't show any active exploitation [at the time], but details, including the backdoor credentials, were published in a blog by Nicholas Starke shortly after Cisco released its advisory. The company also addressed a second critical CLSU information disclosure vulnerability (CVE-2024-20440) that unauthenticated attackers can use to access log files containing sensitive data (including API credentials) by sending crafted HTTP requests to vulnerable devices. The CSLU Windows application allows admins to manage licenses and linked products on-premises without connecting them to Cisco's cloud-based Smart Software Manager solution.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 20 Mar 2025 19:10:05 +0000