Cisco addressed an NX-OS zero-day, tracked as CVE-2024-20399 (CVSS score of 6.0), that the China-linked group Velvet Ant<\/a> exploited to deploy previously unknown malware as root on vulnerable switches.<\/p>\n\n\n\n
“This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command.” reads the advisory<\/a> published by Cisco. “A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of\u00a0root<\/em>.”
“Sygnia identified that CVE-2024-20399 was exploited in the wild by a China-nexus threat group as a \u2018zero-day\u2019 and shared the details of the vulnerability with Cisco. By exploiting this vulnerability, a threat group \u2013 dubbed \u2018Velvet Ant\u2019 \u2013 successfully executed commands on the underlying operating system of Cisco Nexus devices.” reads the report<\/strong><\/a> published by Sygnia. “This exploitation led to the execution of a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices.
The vulnerability impacts the following devices:<\/p>\n\n\n\n
Cisco recommends customers monitor the use of credentials for the administrative users\u00a0network-admin<\/strong>\u00a0and\u00a0vdc-admin<\/strong>.
Cisco provides the\u00a0Cisco Software Checker<\/a> to help customers determine if their devices are vulnerable to this flaw.
In late 2023, Sygnia researchers responded<\/a> to an incident suffered by a large organization that they attributed to the same China-linked threat actor \u2018Velvet Ant.\u2019<\/p>\n\n\n\n
The cyberspies deployed custom malware on\u00a0F5 BIG-IP<\/a>\u00a0appliances to gain persistent access to the internal network of the target organization and steal sensitive data.<\/p>\n\n\n\n
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, NX-OS)<\/strong>