CISA Warns of Cisco Smart Licensing Utility Credential Vulnerability Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Cisco vulnerability to its Known Exploited Vulnerabilities (KEV) catalog following confirmation of active exploitation in the wild. 

The flaw, identified as CVE-2024-20439, affects the Cisco Smart Licensing Utility (CSLU) and allows unauthenticated, remote attackers to gain administrative access to affected systems through an undocumented, static credential.

The vulnerability, classified under CWE-912 (Hidden Functionality), carries a Critical severity with a CVSS base score of 9.8. 

According to Cisco’s security advisory, the flaw “could allow an unauthenticated, remote attacker to log in to an affected system by using a static administrative credential.”

Cisco Smart Licensing Utility Credential Vulnerability 

This backdoor-like access exists due to hardcoded credentials embedded within the application, providing attackers with full administrative privileges over the CSLU API.

Security researchers have noted that exploitation is relatively straightforward once attackers identify vulnerable systems. 

Johannes Ullrich, Dean of Research at the SANS Technology Institute, confirmed that threat actors are actively exploiting this vulnerability, especially after technical details, including the backdoor credentials, were published online.

“It is no surprise that we are seeing some exploit activity,” Ullrich noted after observing attacks in the wild.

Attackers are reportedly chaining CVE-2024-20439 with another critical vulnerability in the same product, CVE-2024-20440 (CVSS 9.8), an information disclosure flaw that enables extraction of sensitive data from debug log files. 

The combination of these vulnerabilities creates a particularly dangerous attack vector, allowing attackers to both gain administrative access and harvest credentials for further system compromise.

The threat actors behind these exploitation attempts are also targeting other vulnerabilities, including CVE-2024-0305, which affects Guangzhou Yingke Electronic DVRs.

The summary of the vulnerability is given below:

Affected Products and Remediations

The vulnerability impacts Cisco Smart Licensing Utility versions 2.0.0 through 2.2.0, with version 2.3.0 confirmed as not vulnerable. CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies apply patches by April 21, 2025.

It’s important to note that these vulnerabilities only affect systems where the CSLU has been manually started, as it doesn’t run in the background by default. 

However, even launching the application once on an internet-connected host can create an exploitation opportunity.

Organizations Can take the following actions:

• Update to Cisco Smart Licensing Utility version 2.3.0 or later immediately
• If patching isn’t immediately possible, implement network segmentation to restrict access to CSLU instances
• Monitor systems for unauthorized access attempts
• Review CISA’s KEV catalog for other actively exploited vulnerabilities requiring remediation

Organizations should prioritize addressing this vulnerability given its critical nature, ease of exploitation, and confirmation of active attacks. 

As the CISA KEV catalog continues to be the authoritative source for tracking exploited vulnerabilities, security teams should incorporate it into their vulnerability management prioritization frameworks.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The post CISA Warns of Cisco Smart Licensing Utility Credential Vulnerability Exploited in Attacks appeared first on Cyber Security News.