Cisco has issued a critical security warning regarding a vulnerability in its Smart Licensing Utility (CSLU). This vulnerability, tracked as CVE-2024-20439, exposes a hidden backdoor administrative account, actively exploited in attacks.
CSLU, a Windows application managing licenses for on-premises Cisco products, contains an undocumented administrative account with a hardcoded password. This allows unauthenticated remote access and complete control over the CSLU application’s API. Cisco patched this flaw (CVE-2024-20439) in September 2024. However, attacks exploiting this vulnerability are now occurring.
The vulnerability only affects systems running vulnerable CSLU versions. Exploitation requires the CSLU application to be actively running, which is not the default setting. Security researcher Nicholas Starke reverse-engineered the vulnerability and published technical details, including the decoded password.
A Cisco spokesperson stated, “In March 2025, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability.”
Johannes Ullrich, Dean of Research at SANS Technology Institute, observed a campaign leveraging this backdoor account. Attackers are chaining CVE-2024-20439 with another critical vulnerability, CVE-2024-20440. CVE-2024-20440 is an information disclosure vulnerability allowing access to sensitive log files, including API credentials.
Ullrich noted, “A quick search didn’t show any active exploitation [at the time], but details, including the backdoor credentials, were published in a blog by Nicholas Starke shortly after Cisco released its advisory. So it is no surprise that we are seeing some exploit activity.”
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-20439 to its Known Exploited Vulnerabilities Catalog, mandating U.S. federal agencies to secure their systems by April 21, 2025. This isn’t the first instance of hardcoded credentials found in Cisco products.
Similar vulnerabilities have been discovered in IOS XE, Wide Area Application Services (WAAS), Digital Network Architecture (DNA) Center, and Emergency Responder software. Immediate action to patch affected systems is crucial.
