Saturday, February 15, 2025
HomeCiscoCisco NX-OS Zero-Day Command Injection Vulnerability Let Hackers Gain Root Access

Cisco NX-OS Zero-Day Command Injection Vulnerability Let Hackers Gain Root Access

Published on

SIEM as a Service

Follow Us on Google News

Cisco has disclosed a critical vulnerability in its widely-used NX-OS network operating system that could allow attackers to execute arbitrary commands with root privileges on affected devices.

The company urges customers to upgrade to patched versions as soon as possible.

The vulnerability tracked as CVE-2024-20399 exists in the command-line interface (CLI) of NX-OS due to insufficient validation of arguments passed to specific configuration commands.

An authenticated local attacker with administrator credentials could exploit this flaw by entering crafted input as an argument.

Successful exploitation would allow the attacker to run commands on the underlying operating system as the root user, enabling full device compromise.

Cisco notes that the vulnerability is being actively exploited in the wild as of April 2024.

A wide range of Cisco data center and networking products are impacted if running vulnerable NX-OS versions, including:

  • MDS 9000 Series Multilayer Switches
  • Nexus 3000, 5500, 5600, 6000, 7000, and 9000 Series Switches

However, with some exceptions, Nexus 9000 Series switches are unaffected on releases 9.3 and later.

Devices with the bash-shell feature available, such as Nexus 3000 and 9000 switches and Nexus 7000 on release 8.1+, do not grant extra privileges but still allow an admin to hide the execution of shell commands.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Attacks & Mitigation

In April 2024, the Cisco Product Security Incident Response Team (PSIRT) identified active exploitation of this vulnerability.

Cybersecurity firm Sygnia attributed these attacks to Velvet Ant, a Chinese state-sponsored threat actor, which used the flaw to deploy custom malware on compromised devices.

The malware enables remote connection, file upload, and malicious code execution without triggering system syslog messages, effectively concealing the attack.

Cisco offers the Cisco Software Checker tool to determine exposure and find the appropriate software updates.

This tool identifies impacted software releases and the earliest fixed versions, accessible on the Cisco Software Checker page.

Organizations using affected Cisco products should prioritize applying the necessary patches and continuously monitor their network for any signs of compromise.

Cisco has released patched NX-OS versions addressing the vulnerability and advises customers to upgrade as soon as possible.

No workarounds are available—the company credits cybersecurity firm Sygnia for reporting the flaw.

Network administrators should review the detailed advisory, determine their exposure via the Cisco Software Checker tool, and plan their upgrades as there is no workaround for this vulnerability.

Regularly changing admin credentials is also recommended as a best practice. Cisco TAC and support partners are available to assist customers as needed.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...

North Korean IT Workers Penetrate Global Firms to Install System Backdoors

In a concerning escalation of cyber threats, North Korean IT operatives have infiltrated global...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...