Cisco has removed a backdoor account in the Cisco Smart Licensing Utility (CSLU) that can be used to log into unpatched systems with administrative privileges.
CSLU is a Windows application that helps manage licenses and linked products on-premise without connecting them to Cisco’s cloud-based Smart Software Manager solution.
The company says this critical vulnerability (CVE-2024-20439) allows unauthenticated attackers to log into unpatched systems remotely using an “undocumented static user credential for an administrative account.”
“A successful exploit could allow the attacker to log in to the affected system with administrative privileges over the API of the Cisco Smart Licensing Utility application,” it explained.
Cisco also released security updates for a critical CLSU information disclosure vulnerability (CVE-2024-20440) that unauthenticated threat actors can exploit to access log files containing sensitive data (including API credentials) by sending crafted HTTP requests to affected devices.
The two security vulnerabilities only impact systems running a vulnerable Cisco Smart Licensing Utility release, regardless of their software configuration. The security flaws are only exploitable if a user starts the Cisco Smart Licensing Utility, which is not designed to run in the background.
| Cisco Smart License Utility Release | First Fixed Release |
|---|---|
| 2.0.0 | Migrate to a fixed release. |
| 2.1.0 | Migrate to a fixed release. |
| 2.2.0 | Migrate to a fixed release. |
| 2.3.0 | Not vulnerable. |
The Cisco Product Security Incident Response Team (PSIRT) says it has yet to find public exploits or evidence of threat actors exploiting the security flaws in attacks.
This isn’t the first backdoor account Cisco has removed from its products in recent years. Previous undocumented hardcoded credentials were found in the company’s Digital Network Architecture (DNA) Center, IOS XE, Wide Area Application Services (WAAS), and Emergency Responder software.
Last month, Cisco also patched a maximum severity vulnerability (CVE-2024-20419) that enables attackers to change any user password on unpatched Cisco Smart Software Manager On-Prem (Cisco SSM On-Prem) license servers. Three weeks later, the company said that exploit code had been published online and warned admins to patch their SSM On-Prem servers to block potential attacks.
In July, Cisco fixed an NX-OS zero-day (CVE-2024-20399) that had been exploited since April to install previously unknown malware as root on vulnerable MDS and Nexus switches.
Cisco also warned in April that state-backed hackers (tracked as UAT4356 and STORM-1849) exploited two other zero-day bugs (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide