BREAKING AT&T Data Breach: ‘Nearly All’ Wireless Customers Exposed in Massive Hack
Connect with us

Hi, what are you looking for?


Malware & Threats

Cisco Patches NX-OS Zero-Day Exploited by Chinese Cyberspies

Cisco has patched an NX-OS command injection zero-day exploited by China-linked cyberespionage group Velvet Ant.

Cisco zero-day

Cisco on Monday announced patches for a medium-severity zero-day vulnerability in the NX-OS software that has been exploited by a China-linked cyberespionage threat actor.

Tracked as CVE-2024-20399 (CVSS score of 6), the security defect impacts the command line interface of NX-OS and could allow a local attacker to execute arbitrary commands on the underlying operating system, with root privileges.

“This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command,” Cisco explains in an advisory.

The tech giant also underlines that an attacker needs to be authenticated as an administrator on a vulnerable device to successfully exploit this bug.

“In April 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild,” Cisco notes.

CVE-2024-20399 impacts Cisco’s MDS 9000 series, Nexus 3000 series, Nexus 5500 platform, Nexus 5600 platform, Nexus 6000 series, Nexus 7000 series, and Nexus 9000 series switches. The tech giant has released firmware updates for all affected products.

The vulnerability was discovered and reported by cybersecurity firm Sygnia, which observed it being targeted in a cyberespionage campaign attributed to a China-linked threat actor tracked as ‘Velvet Ant’.

Last month, Sygnia revealed that Velvet Ant was seen maintaining access to an organization’s network for years by compromising internet-exposed legacy F5 BIG-IP appliances and deploying multiple tools to relay command-and-control (C&C) communication. 

Advertisement. Scroll to continue reading.

“Velvet Ant used outdated F5 BIG-IP equipment as internal command-and-control (C&C) servers to stay under the radar in a bid to maintain multiple footholds to the target network and methodically obtain private data, including financial and customer information,” Sygnia told SecurityWeek

The hacking group exploited the Cisco NX-OS bug to execute previously unknown malware on the affected devices, to connect remotely to them, upload additional files, and execute more code.

The cybersecurity firm explains that the vulnerability can only be exploited if the attacker has network access to the vulnerable device and is in the possession of administrator credentials.

“Given that most Nexus switches are not directly exposed to the internet, a threat group must first achieve initial access to the organization’s internal network to exploit this vulnerability. Consequently, the overall risk to organizations is reduced by the inherent difficulty in obtaining the necessary access,” Sygnia explains.

However, the cybersecurity firm also points out that, despite difficulties in exploiting flaws like CVE-2024-20399, sophisticated threat actors, such as Velvet Ant, tend to target insufficiently protected network appliances for persistent access to enterprise environments.

“Updating the systems of affected devices is the primary mitigation strategy for licensed devices. For cases in which software updates are not available, this incident demonstrates the critical importance of adopting security best practices to prevent access to devices in the first place,” Sygnia notes.

Related: Cisco Patches Webex Bugs Following Exposure of German Government Meetings

Related: Cisco Patches High-Severity Vulnerability in SD-WAN vManage

Related: Cisco Warns of Vulnerability in Discontinued Small Business Routers

Related: Chinese Hackers Leveraged Legacy F5 BIG-IP Appliance for Persistence

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

ICS and OT cybersecurity solutions provider TXOne Networks appoints Stephen Driggers as new CRO

Identity orchestration provider Strata Identity appoints Aldo Pietropaolo as Field CTO

Cybersecurity provider for the aviation industry Cyviation has appointed Eliran Almog as Chief Executive Officer.

More People On The Move

Expert Insights