Cisco NX-OS Zero-Day Command Injection Vulnerability Let Hackers Gain Root Access

Cisco has disclosed a critical vulnerability in its widely-used NX-OS network operating system that could allow attackers to execute arbitrary commands with root privileges on affected devices.

The company urges customers to upgrade to patched versions as soon as possible.

The vulnerability tracked as CVE-2024-20399 exists in the command-line interface (CLI) of NX-OS due to insufficient validation of arguments passed to specific configuration commands.

An authenticated local attacker with administrator credentials could exploit this flaw by entering crafted input as an argument.

Successful exploitation would allow the attacker to run commands on the underlying operating system as the root user, enabling full device compromise.

Cisco notes that the vulnerability is being actively exploited in the wild as of April 2024.

A wide range of Cisco data center and networking products are impacted if running vulnerable NX-OS versions, including:

• MDS 9000 Series Multilayer Switches
• Nexus 3000, 5500, 5600, 6000, 7000, and 9000 Series Switches

However, with some exceptions, Nexus 9000 Series switches are unaffected on releases 9.3 and later.

Devices with the bash-shell feature available, such as Nexus 3000 and 9000 switches and Nexus 7000 on release 8.1+, do not grant extra privileges but still allow an admin to hide the execution of shell commands.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Attacks & Mitigation

In April 2024, the Cisco Product Security Incident Response Team (PSIRT) identified active exploitation of this vulnerability.

Cybersecurity firm Sygnia attributed these attacks to Velvet Ant, a Chinese state-sponsored threat actor, which used the flaw to deploy custom malware on compromised devices.

The malware enables remote connection, file upload, and malicious code execution without triggering system syslog messages, effectively concealing the attack.

Cisco offers the Cisco Software Checker tool to determine exposure and find the appropriate software updates.

This tool identifies impacted software releases and the earliest fixed versions, accessible on the Cisco Software Checker page.

Organizations using affected Cisco products should prioritize applying the necessary patches and continuously monitor their network for any signs of compromise.

Cisco has released patched NX-OS versions addressing the vulnerability and advises customers to upgrade as soon as possible.

No workarounds are available—the company credits cybersecurity firm Sygnia for reporting the flaw.

Network administrators should review the detailed advisory, determine their exposure via the Cisco Software Checker tool, and plan their upgrades as there is no workaround for this vulnerability.

Regularly changing admin credentials is also recommended as a best practice. Cisco TAC and support partners are available to assist customers as needed.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files