Home Innovation Cisco Cisco CSLU Under Attack as Hac...

Cisco CSLU Under Attack as Hackers Exploit Unpatched Admin Backdoor

Cisco

Business Honor
21 March, 2025

Attackers target Cisco Smart Licensing Utility flaws, gaining remote admin access illegally.

Attackers are going out of their way to target unpatched instances of Cisco Smart Licensing Utility (CSLU), a critical vulnerability that reveals a built-in admin account backdoor. The vulnerability, which is assigned CVE-2024-20439, enables unauthenticated attackers to remotely control vulnerable systems with administrative rights via the CSLU application's API.

Cisco had fixed the issue through a security patch released in September 2024, defining the issue as "an undocumented static user credential for an administrative account." The issue CVE-2024-20440, in addition, has been fixed in the patch. It had a vulnerability that used specially crafted HTTP requests to extract sensitive data like API credentials. This vulnerability is fixed only for the systems where CSLU vulnerable versions are running and is only possible when the CSLU app is installed and executed by the user.

Even with Cisco's patches, Aruba threat researcher Nicholas Starke reverse-engineered the vulnerability and published technical information, including the hardcoded password, two weeks after Cisco's advisory. Soon after that, security experts, such as SANS Technology Institute's Johannes Ullrich, reported seeing attackers actively exploit these vulnerabilities to take over exposed CSLU instances on the internet.

The scope of these attacks is not fully known, but researchers say the threat actor is also exploiting other vulnerabilities, including CVE-2024-0305, an information disclosure vulnerability in Guangzhou Yingke Electronic DVRs.

Cisco Product Security Incident Response Team (PSIRT) also has not authenticated active exploitation at this time but has reported no definite evidence of attacks. There are, though, other backdoor accounts and vulnerabilities that have been removed previously by Cisco on various products like DNA Center, IOS XE, WAAS, and Emergency Responder software.

Organizations that employ CSLU are cautioned to implement Cisco's security fixes as soon as possible to minimize unauthorized access as well as actual cyber threats.