{"id":165415,"date":"2024-07-08T07:16:20","date_gmt":"2024-07-08T07:16:20","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=165415"},"modified":"2024-07-08T07:16:22","modified_gmt":"2024-07-08T07:16:22","slug":"cisa-adds-cisco-nx-os-command-injection-bug-known-exploited-vulnerabilities-catalog","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/165415\/security\/cisa-adds-cisco-nx-os-command-injection-bug-known-exploited-vulnerabilities-catalog.html","title":{"rendered":"CISA adds Cisco NX-OS Command Injection bug to its Known Exploited Vulnerabilities catalog<\/gwmw>"},"content":{"rendered":"
<\/div>\n

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Cisco NX-OS Command Injection bug to its Known Exploited Vulnerabilities catalog.<\/h2>\n\n\n\n

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)\u00a0added<\/a> a Cisco NX-OS Command Injection Vulnerability, tracked as CVE-2024-20399<\/a>, to its Known Exploited Vulnerabilities (KEV) catalog<\/a>.<\/p>\n\n\n\n

This week, Cisco addressed<\/a> an NX-OS zero-day, tracked as CVE-2024-20399 (CVSS score of 6.0), that the China-linked group\u00a0Velvet Ant<\/a>\u00a0exploited to deploy previously unknown malware as root on vulnerable switches.<\/p>\n\n\n\n

The flaw resides in the CLI of Cisco NX-OS Software, an authenticated, local attacker can exploit the flaw to execute arbitrary commands as root <\/em>on the underlying operating system of an affected device.<\/p>\n\n\n\n

\u201cThis vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command.\u201d reads the advisory<\/a> published by Cisco. \u201cA successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root<\/em>.\u201d<\/p>\n\n\n\n

The IT giant pointed out that only attackers with Administrator credentials can successfully exploit this vulnerability on a Cisco NX-OS device.<\/p>\n\n\n\n

In April 2024, researchers reported to the Cisco Product Security Incident Response Team (PSIRT) that the issue was actively exploited in the wild.<\/p>\n\n\n\n

Cybersecurity firm Sygnia observed the attacks on April 2024 and reported them to Cisco.<\/p>\n\n\n\n

\u201cSygnia identified that CVE-2024-20399 was exploited in the wild by a China-nexus threat group as a \u2018zero-day\u2019 and shared the details of the vulnerability with Cisco. By exploiting this vulnerability, a threat group \u2013 dubbed \u2018Velvet Ant\u2019 \u2013 successfully executed commands on the underlying operating system of Cisco Nexus devices.\u201d reads the report<\/strong><\/a> published by Sygnia. \u201cThis exploitation led to the execution of a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices.\u201c<\/em><\/p>\n\n\n\n

The vulnerability impacts the following devices:<\/p>\n\n\n\n