- Security researchers claim two Cisco Smart Licensing Utility bugs are being abused in the wild
- One of the bugs is a hardcoded admin account
- Both bugs were fixed in 2024, so users should update now
Cybercriminals are abusing two vulnerabilities found in Cisco Smart Licensing Utility (CSLU) to unknown ends.
Johannes Ullrich, Dean of Research at the SANS Technology Institute, noted threat actors are now chaining the two security flaws to target internet-exposed CSLU instances.
“A quick search didn’t show any active exploitation at the time, but details, including the backdoor credentials, were published in a blog by Nicholas Starke shortly after Cisco released its advisory. So it is no surprise that we are seeing some exploit activity,” Ullrich said.
No workarounds
CSLU is a tool that helps organizations manage and report the usage of Cisco software licenses in a more flexible and automated way.
It enables devices to connect to Cisco’s Smart Licensing system, either directly or through an on-premises satellite server, to register and track entitlements without requiring constant internet access.
In September 2024, Cisco announced patching CVE-2024-20439, “undocumented static user credential for an administrative account”, which is a fancy way of saying someone left hardcoded admin credentials in the back end.
The vulnerability allowed threat actors to log into vulnerable systems remotely, over the API or the CSLU app.
At the same time, Cisco addressed CVE-2024-20440, an information disclosure vulnerability that threat actors used to access log files with sensitive information such as API credentials.
Abusing these flaws isn’t that straightforward, BleepingComputer notes, since it requires the victim to run the CSLU app in the background, which isn’t its default setting.
In any case, both vulnerabilities were patched, and there are no workarounds, so the only way to secure your instances is to apply the patch.
In the security advisory for the flaws, Cisco said it was “not aware” of any public announcements or malicious use, meaning the pages have not yet been updated.