Cisco NX-OS Zero-Day Command Injection Vulnerability Under Active Exploitation

A severe vulnerability in the Command Line Interface (CLI) of Cisco NX-OS Software is currently being actively exploited, enabling attackers to execute arbitrary commands as root on compromised devices.

This zero-day flaw, identified as CVE-2024-20399, poses a significant risk to network security, particularly for organizations using Cisco’s Nexus and MDS series switches.

The vulnerability stems from inadequate validation of arguments passed to specific configuration CLI commands.

“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!” – Free Demo

An authenticated local attacker with administrator credentials can exploit this flaw by providing crafted input as an argument for an affected configuration CLI command.

Successful exploitation grants the attacker root privileges on the underlying operating system, enabling the execution of arbitrary commands.

Affected Products

The following Cisco products are vulnerable if they are running a susceptible release of Cisco NX-OS Software:

• MDS 9000 Series Multilayer Switches
• Nexus 3000 Series Switches
• Nexus 5500 Platform Switches
• Nexus 5600 Platform Switches
• Nexus 6000 Series Switches
• Nexus 7000 Series Switches
• Nexus 9000 Series Switches in standalone NX-OS mode

Notably, certain models within the Nexus 3000 and Nexus 9000 series are not affected if they are running Cisco NX-OS Software releases 9.3(5) and later, with specific exceptions like the N3K-C3264C-E and N9K-C92348GC-X models, which require further updates to versions 10.4.3 and later.

Exploitation and Mitigation

The Cisco Product Security Incident Response Team (PSIRT) became aware of this vulnerability’s active exploitation in April 2024. Cybersecurity firm Sygnia attributed these attacks to a Chinese state-sponsored threat actor, Velvet Ant, who leveraged the flaw to deploy custom malware on compromised devices.

This malware allows remote connection, file upload, and malicious code execution without triggering system syslog messages, thereby concealing the attack.

Cisco has released software updates to address this vulnerability. However, there are no workarounds available.

Administrators are urged to apply the updates promptly and regularly monitor and change the credentials for administrative users, such as network-admin and vdc-admin, to mitigate potential risks.

Cisco provides the Cisco Software Checker tool to determine exposure and find the appropriate software updates. This tool identifies impacted software releases and the earliest fixed versions. Administrators can access this tool on the Cisco Software Checker page.

Organizations using affected Cisco products should prioritize applying the necessary patches and continuously monitor their network for any signs of compromise.

Are you from SOC/DFIR Teams? – Sign up for a free ANY.RUN account to Analyze Advanced Malware Files