Cisco warns of CSLU backdoor admin account used in attacks
Cisco has warned admins to patch a critical Cisco Smart Licensing Utility (CSLU) vulnerability, which exposes a built-in backdoor admin account now used in attacks.
CSLU is a Windows app for managing licenses and linked products on-premises without connecting them to Cisco's cloud-based Smart Software Manager solution.
Cisco patched this security flaw (CVE-2024-20439) in September, describing it as "an undocumented static user credential for an administrative account" that lets unauthenticated attackers log into unpatched systems remotely with admin privileges over the Cisco Smart Licensing Utility (CSLU) app's API.
CVE-2024-20439 only impacts systems running vulnerable Cisco Smart Licensing Utility releases, but it's only exploitable if the user starts the CSLU app (which doesn't run in the background by default).
Aruba threat researcher Nicholas Starke reverse-engineered the vulnerability two weeks after Cisco released security patches and published a write-up with technical details (including the decoded hardcoded static password).
"In March 2025, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild," the company said in a Tuesday update to the original security advisory. "Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability."
Chained with a second vulnerability
While Cisco didn't share any details on these attacks, Johannes Ullrich, SANS Technology Institute's Dean of Research, spotted a campaign last month that used the backdoor admin account to attack CSLU instances exposed online.
Ullrich said in March that threat actors are chaining CVE-2024-20439 with a second flaw, a critical CLSU information disclosure vulnerability (CVE-2024-20440) that unauthenticated attackers can exploit to gain access to log files containing sensitive data (including API credentials) by sending crafted HTTP requests to vulnerable devices.
"A quick search didn't show any active exploitation [at the time], but details, including the backdoor credentials, were published in a blog by Nicholas Starke shortly after Cisco released its advisory. So it is no surprise that we are seeing some exploit activity," Ullrich said.
On Monday, CISA added the CVE-2024-20439 static credential vulnerability to its Known Exploited Vulnerabilities Catalog, ordering U.S. federal agencies to secure their systems against active exploitation within three weeks, by April 21.
This isn't the first backdoor account removed from Cisco products in recent years, with previous hardcoded credentials found in its IOS XE, Wide Area Application Services (WAAS), Digital Network Architecture (DNA) Center, and Emergency Responder software.
Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Counterfeit Android devices found preloaded With Triada malware
Google Fixed Cloud Run Vulnerability Allowing Unauthorized Image Access via IAM Misuse
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner
