Ethical Hacking News
Cisco has warned of a critical vulnerability in its Smart Licensing Utility (CSLU) that exposes a built-in backdoor admin account. This discovery highlights the urgent need for organizations to patch their systems with the latest security updates to prevent exploitation by attackers who have taken advantage of this vulnerability.
Cisco has discovered a critical vulnerability in its Smart Licensing Utility (CSLU) that exposes a built-in backdoor admin account, designated as CVE-2024-20439. The vulnerability allows unauthenticated attackers to log into unpatched systems remotely with admin privileges over the CSLU app's API. A security patch was released in September 2024 to address this flaw and is only exploitable if the user starts the CSLU app, which doesn't run in the background by default. Threat actors have chained the CVE-2024-20439 vulnerability with a second flaw (CVE-2024-20440) that allows unauthenticated attackers to exploit the system by sending crafted HTTP requests to vulnerable devices. Cisco has added CVE-2024-20439 to its Known Exploited Vulnerabilities Catalog, ordering U.S. federal agencies to secure their systems against active exploitation within three weeks by April 21. The vulnerability highlights a systemic issue in software design and has implications beyond Cisco products, emphasizing the need for organizations to prioritize cybersecurity.
In a recent alert, Cisco has sounded the alarm about a critical vulnerability in its Smart Licensing Utility (CSLU) that exposes a built-in backdoor admin account. This discovery has significant implications for organizations relying on CSLU for managing licenses and linked products on-premises without connecting them to Cisco's cloud-based Smart Software Manager solution.
According to Sergiu Gatlan, the author of the original article, this vulnerability, designated as CVE-2024-20439, was first identified by Aruba threat researcher Nicholas Starke. In September 2024, Cisco released a security patch to address this flaw, describing it as "an undocumented static user credential for an administrative account" that allows unauthenticated attackers to log into unpatched systems remotely with admin privileges over the CSLU app's API.
While the vulnerability only impacts systems running vulnerable Cisco Smart Licensing Utility releases and is only exploitable if the user starts the CSLU app, which doesn't run in the background by default, its potential impact cannot be overstated. The fact that this backdoor account has been used in attacks highlights the urgent need for organizations to patch their systems with the latest security updates.
Further investigation revealed that threat actors have chained the CVE-2024-20439 vulnerability with a second flaw, identified as CVE-2024-20440, a critical information disclosure vulnerability. This allows unauthenticated attackers to exploit the system by sending crafted HTTP requests to vulnerable devices, gaining access to log files containing sensitive data such as API credentials.
Nicholas Starke's reverse-engineering efforts published on the web have provided technical details of both vulnerabilities, including the hardcoded static password used for the admin account. Johannes Ullrich, Dean of Research at SANS Technology Institute, has highlighted the threat posed by these attacks in his observations that although no immediate exploitation was seen, Cisco had already become aware of attempts to use this vulnerability.
On Monday, CISA added CVE-2024-20439 to its Known Exploited Vulnerabilities Catalog, ordering U.S. federal agencies to secure their systems against active exploitation within three weeks by April 21. This development underscores the gravity of this situation and emphasizes the need for prompt action to address these vulnerabilities.
It is worth noting that this vulnerability has implications beyond Cisco products, as it highlights a systemic issue in software design. In recent years, similar issues have been found in other Cisco products such as IOS XE, Wide Area Application Services (WAAS), Digital Network Architecture (DNA) Center, and Emergency Responder software.
As a result of these discoveries, many organizations must reassess their security protocols to ensure that they are adequately prepared for this vulnerability. This includes implementing the latest security patches, conducting thorough vulnerability assessments, and providing robust training for IT staff on how to handle sensitive data securely.
In conclusion, the discovery of the CSLU backdoor admin account highlights a pressing need for organizations to prioritize cybersecurity in their daily operations. With its implications extending beyond Cisco products alone, this issue serves as a reminder that no software is completely free from vulnerabilities and that vigilance is essential in defending against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Cisco-CSLU-Backdoor-Admin-Account-A-Cybersecurity-Threat-Lurking-in-Plain-Sight-ehn.shtml
https://www.bleepingcomputer.com/news/security/cisco-warns-of-cslu-backdoor-admin-account-used-in-attacks/
https://nvd.nist.gov/vuln/detail/CVE-2024-20439
https://www.cvedetails.com/cve/CVE-2024-20439/
https://nvd.nist.gov/vuln/detail/CVE-2024-20440
https://www.cvedetails.com/cve/CVE-2024-20440/
Published: Wed Apr 2 10:57:41 2025 by llama3.2 3B Q4_K_M
