Hackers Exploit Critical Cisco Smart Licensing Utility Vulnerabilities
Security researchers have detected active exploitation attempts targeting two critical vulnerabilities in Cisco’s Smart Licensing Utility, despite patches being released six months ago. These flaws could allow unauthorized access to sensitive licensing data and administrative functions.
The vulnerabilities, CVE-2024-20439 and CVE-2024-20440, were disclosed in September 2024 and both carry a CVSS score of 9.8. CVE-2024-20439 acts as a backdoor, enabling unauthenticated remote attackers to gain access using hardcoded credentials. Meanwhile, CVE-2024-20440 exposes sensitive API credentials due to excessive logging in debug files.
Security researcher Nicholas Starke from Aruba, a Hewlett Packard Enterprise company, identified that vulnerable Cisco Smart Licensing Utility versions (2.0.0 - 2.2.0) contain an embedded static administrative password: Library4C$LU. This credential is hardcoded into the application’s API authentication mechanism, granting attackers administrative privileges if exploited successfully.
Ongoing Exploitation Attempts
According to SANS researchers, attackers are using specially crafted HTTP requests to exploit these vulnerabilities. One observed attack pattern shows hackers attempting to access the /cslu/v1/scheduler/jobs API endpoint using the exposed hardcoded credentials.
The Base64-encoded authorization string in the request decodes to cslu-windows-client:Library4C$LU, confirming it matches the static password found in Starke’s research. If successful, this grants administrative control over the affected Cisco Smart Licensing Utility, potentially enabling threat actors to manage licensing services or steal sensitive data.
Additionally, these attackers are not limiting their efforts to Cisco products. Researchers have found evidence that the same group is targeting other internet-exposed devices, including CVE-2024-0305, which affects certain DVR systems. This suggests a broad, coordinated scanning campaign aimed at exploiting known vulnerabilities across various platforms.
Cybersecurity expert Johannes Ullrich from SANS Institute noted the irony that both high-end enterprise security software and low-cost IoT devices often suffer from the same fundamental security flaws—specifically, hardcoded credentials that act as backdoors.
Mitigation and Recommendations
Organizations using Cisco Smart Licensing Utility should immediately update to version 2.3.0, which is patched against these vulnerabilities.
Network administrators should also review system logs for unauthorized access attempts targeting the /cslu/v1 endpoint, particularly those containing the compromised credentials.
Cisco has stated that these vulnerabilities can only be exploited if the Smart Licensing Utility is actively running, but given the widespread deployment of this software, the risk remains significant.
As exploitation attempts continue to rise, patching affected systems promptly remains the best defense against these critical security flaws.
