Cisco has removed a backdoor account in the Cisco Smart Licensing Utility (CSLU) that can be used to log into unpatched systems with administrative privileges.
CSLU is a Windows application that helps manage licenses and linked products on-premise without connecting them to Cisco's cloud-based Smart Software Manager solution.
The company says this critical vulnerability (CVE-2024-20439) allows unauthenticated attackers to log into unpatched systems remotely using an "undocumented static user credential for an administrative account."
"A successful exploit could allow the attacker to log in to the affected system with administrative privileges over the API of the Cisco Smart Licensing Utility application," it explained.
Cisco also released security updates for a critical CLSU information disclosure vulnerability (CVE-2024-20440) that unauthenticated threat actors can exploit to access log files containing sensitive data (including API credentials) by sending crafted HTTP requests to affected devices.
The two security vulnerabilities only impact systems running a vulnerable Cisco Smart Licensing Utility release, regardless of their software configuration. The security flaws are only exploitable if a user starts the Cisco Smart Licensing Utility, which is not designed to run in the background.
Cisco Smart License Utility Release