Ref# AL2025_24 | Date: Apr 3rd 2025

---

Description 

Cisco has issued a critical security warning regarding a built-in backdoor administrative account found in the Cisco Smart Licensing Utility (CSLU). The vulnerability, identified as CVE-2024-20439, was patched in September 2024 but has recently been observed being exploited in the wild. This security flaw allows unauthenticated remote attackers to gain administrative access to unpatched CSLU instances through the application’s API. CSLU is a Windows-based tool designed for managing Cisco product licenses on-premises without requiring a connection to Cisco’s cloud-based Smart Software Manager solution. While the CSLU application does not run in the background by default, the vulnerability is exploitable when it is manually started by a user. Cisco strongly advises all users to apply the latest security updates to mitigate this risk, as threat actors have begun exploiting this backdoor in active attacks. 

Attack Details 

Threat actors are leveraging CVE-2024-20439 in real-world attacks to gain unauthorized access to vulnerable CSLU instances. This attack vector is particularly concerning because it allows remote attackers to log in with administrative privileges without requiring authentication. Further complicating matters, researchers have observed attackers chaining CVE-2024-20439 with a second vulnerability, CVE-2024-20440. This secondary flaw is a critical information disclosure issue that enables unauthenticated attackers to retrieve sensitive data from log files, including API credentials, by sending specially crafted HTTP requests. 

Security researcher Nicholas Starke reverse-engineered the backdoor shortly after Cisco released its patches and publicly disclosed the static hardcoded credentials. Since then, malicious actors have been observed actively exploiting these vulnerabilities. 

SANS Technology Institute’s Dean of Research, Johannes Ullrich, noted that while initial exploitation was not widely detected, the public availability of exploit details has led to an uptick in attacks against exposed CSLU instances. 

Remediation 

To protect against the exploitation of CVE-2024-20439 and CVE-2024-20440, Cisco and cybersecurity experts recommend the following steps: 

• Patch Immediately: Organizations should update their CSLU installations to the latest patched version provided by Cisco. 
• Restrict Exposure: Ensure that CSLU instances are not exposed to the internet unless absolutely necessary. 
• Monitor for Suspicious Activity: Regularly review system logs for unauthorized access attempts or unusual API calls. 
• Change Credentials: If CSLU has been previously deployed, review and update any stored API credentials that may have been compromised. 
• Apply Network Segmentation: Limit access to CSLU servers only to authorized administrators. 
• Follow CISA Guidelines: Federal agencies and enterprises should comply with CISA’s directive to secure their systems before April 21. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

PDF Download: Cisco CSLU Backdoor Admin Account Exploited in Attacks

References 

• Baran, G. (2025, April 1). CISA warns of Cisco smart licensing utility credential vulnerability exploited in attacks. Retrieved from Cyber Security News. https://cybersecuritynews.com/cisa-cisco-smart-licensing-utility-credential-vulnerability/
• Gatlan, S. (2025, April 2). Cisco warns of CSLU backdoor admin account used in attacks. Retrieved from BleepingComputer. https://www.bleepingcomputer.com/news/security/cisco-warns-of-cslu-backdoor-admin-account-used-in-attacks/