Cybercriminals have begun attacking unpatched Cisco Smart Licensing Utility (CSLU) instances by exploiting a vulnerability that provides access to a hidden admin account.
The flaw, CVE-2024-20439, was patched in September and allows unauthenticated remote access to affected systems using a hardcoded administrative credential. A second vulnerability, CVE-2024-20440, enables attackers to retrieve sensitive log files containing API credentials by sending malicious HTTP requests.
These security gaps only affect systems running vulnerable CSLU versions and are only exploitable when the CSLU app is launched, as it doesn’t run in the background by default.
Aruba researcher Nicholas Starke reverse-engineered the flaw and publicly revealed details, including the hardcoded password, just weeks after Cisco’s patch was released.
Shortly after, attackers started chaining these vulnerabilities together to target CSLU systems exposed to the Internet, according to SANS Technology Institute's Johannes Ullrich.
Cisco’s security team initially found no evidence of exploitation, but cybercriminals are now actively testing these flaws along with other vulnerabilities, including one affecting Guangzhou Yingke Electronic DVRs (CVE-2024-0305).
This isn’t the first time Cisco has had to remove backdoor accounts, as similar hardcoded credentials were previously discovered in DNA Center, IOS XE, WAAS, and Emergency Responder software.
Logging you in...
Loading IntenseDebate Comments...