Critical Cisco Smart Licensing Utility flaws actively exploited in attacks
Take action: If you are using Cisco Smart Licensing Utility, plan to patch IMMEDIATELY. Even though the flaws can only be exploited while CSLU is running, it's obvious that a lot of instances are running and being exploited. Don't delay.
Learn More
Hackers are targeting unpatched Cisco Smart Licensing Utility (CSLU) instances by exploiting two critical vulnerabilities that were patched in September 2024. The attacks were reported by Johannes Ullrich of the SANS Technology Institute, who observed exploitation attempts against both flaws in the wild.
Vulnerability summary
- CVE-2024-20439 (CVSS score 9.8) - A critical vulnerability involving an undocumented static user credential (backdoor) for an administrative account that allows unauthenticated attackers to remotely log into vulnerable systems with administrative privileges via the CSLU API.
- CVE-2024-20440 (CVSS score 9.8) - An information disclosure vulnerability enabling unauthenticated attackers to access log files containing sensitive data, including API credentials, by sending crafted HTTP requests to vulnerable devices.
The attackers are part of a botnet that has been active for several weeks, targeting various vulnerabilities and also scanning for exposed secrets such as backup files left by administrators.
These vulnerabilities impact a wide range of Cisco products using the CSLU Windows application, which allows administrators to manage licenses and linked products on-premises without connecting to Cisco's cloud-based Smart Software Manager.
Exploitation is only possible if the CSLU application is actively running, as it's not designed to operate in the background by default.
Organizations using the Cisco Smart Licensing Utility should:
- Apply the September 2024 security patches immediately
- Ensure the CSLU application is only running when needed
- Monitor for unauthorized access attempts
