Cisco has eliminated a backdoor account in its Cisco Smart Licensing Utility (CSLU), which could allow attackers to remotely access unpatched systems with administrative privileges.
CSLU is a Windows-based tool used for managing licenses and linked products on-premises without requiring a connection to Cisco's cloud-based Smart Software Manager.
The critical vulnerability (CVE-2024-20439) enables unauthenticated attackers to log into unpatched systems remotely using an "undocumented static user credential" tied to an administrative account. According to Cisco, "A successful exploit could allow an attacker to gain administrative access to the affected system via the API of the Cisco Smart Licensing Utility application."
In addition, Cisco has released patches for another critical flaw (CVE-2024-20440), which could allow unauthenticated attackers to access sensitive log files, including API credentials, by sending specially crafted HTTP requests to vulnerable systems.
Both vulnerabilities impact systems running a vulnerable version of the Cisco Smart Licensing Utility, regardless of the software configuration. However, the flaws can only be exploited if the utility is manually launched, as it is not designed to run in the background.
Cisco’s Product Security Incident Response Team (PSIRT) has reported no known public exploits or evidence of active attacks leveraging these vulnerabilities.
This is not the first time Cisco has addressed backdoor accounts in its products. Similar issues have been discovered in the past, including in its Digital Network Architecture (DNA) Center, IOS XE, Wide Area Application Services (WAAS), and Emergency Responder software.
Last month, Cisco patched another critical vulnerability (CVE-2024-20419) in the Cisco Smart Software Manager On-Prem (SSM On-Prem), which allowed attackers to change user passwords on unpatched license servers. Exploit code for this flaw was published online, prompting Cisco to warn admins to apply the necessary patches.
In July, Cisco also addressed a zero-day vulnerability (CVE-2024-20399) in NX-OS, which had been exploited since April to install previously unknown malware on vulnerable MDS and Nexus switches.
Earlier this year, Cisco revealed that state-backed hackers, tracked as UAT4356 and STORM-1849, had exploited two zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) to breach government networks globally.