{"id":165097,"date":"2024-07-02T07:25:27","date_gmt":"2024-07-02T07:25:27","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=165097"},"modified":"2024-07-02T07:25:29","modified_gmt":"2024-07-02T07:25:29","slug":"cisco-nx-os-zero-day-chinese-hackers","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/165097\/apt\/cisco-nx-os-zero-day-chinese-hackers.html","title":{"rendered":"China-linked APT exploited Cisco NX-OS zero-day to deploy custom malware"},"content":{"rendered":"
<\/div>\n

Cisco fixed an actively exploited NX-OS zero-day, the flaw was exploited to install previously unknown malware as root on vulnerable switches.<\/h2>\n\n\n\n

Cisco addressed an NX-OS zero-day, tracked as CVE-2024-20399 (CVSS score of 6.0), that the China-linked group Velvet Ant<\/a> exploited to deploy previously unknown malware as root on vulnerable switches.<\/p>\n\n\n\n

The flaw resides in the CLI of Cisco NX-OS Software, an authenticated, local attacker can exploit the flaw to execute arbitrary commands as\u00a0root\u00a0<\/em>on the underlying operating system of an affected device.<\/p>\n\n\n\n

“This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command.” reads the advisory<\/a> published by Cisco. “A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of\u00a0root<\/em>.”<\/gwmw><\/p>\n\n\n\n

The IT giant pointed out that only attackers with Administrator\u00a0credentials can successfully exploit this vulnerability on a Cisco NX-OS device.<\/p>\n\n\n\n

In April 2024, researchers reported to the Cisco Product Security Incident Response Team (PSIRT) that the issue was actively exploited in the wild.<\/p>\n\n\n\n

Cybersecurity\u00a0firm Sygnia observed the attacks on April 2024 and reported them to Cisco.<\/p>\n\n\n\n

“Sygnia identified that CVE-2024-20399 was exploited in the wild by a China-nexus threat group as a \u2018zero-day\u2019 and shared the details of the vulnerability with Cisco. By exploiting this vulnerability, a threat group \u2013 dubbed \u2018Velvet Ant\u2019 \u2013 successfully executed commands on the underlying operating system of Cisco Nexus devices.” reads the report<\/strong><\/a> published by Sygnia. “This exploitation led to the execution of a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices.<\/gwmw>“<\/em><\/p>\n\n\n\n

The vulnerability impacts the following devices:<\/p>\n\n\n\n