CISA Includes Cisco NX-OS Command Injection Vulnerability in its Known Exploited Vulnerabilities Catalog

July 8, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include a Cisco NX-OS Command Injection Vulnerability, designated as CVE-2024-20399. This follows Cisco's recent addressal of a zero-day vulnerability in its NX-OS software, exploited by the China-linked group Velvet Ant to deploy new malware. The vulnerability lies in the CLI of Cisco NX-OS Software and can be exploited by an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device.

According to Cisco's advisory, the vulnerability stems from insufficient validation of arguments passed to specific configuration CLI commands. An attacker can exploit this by including crafted input as the argument of an affected configuration CLI command. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges. However, only attackers with Administrator credentials can exploit this vulnerability on a Cisco NX-OS device.

The vulnerability was first reported to the Cisco Product Security Incident Response Team (PSIRT) in April 2024, when it was being actively exploited in the wild. Cybersecurity firm Sygnia detected these attacks and reported them to Cisco. Sygnia's report revealed that the Velvet Ant threat group had exploited CVE-2024-20399 as a 'zero-day' and shared the vulnerability details with Cisco. The exploitation allowed the group to execute commands on the underlying operating system of Cisco Nexus devices, leading to the execution of previously unknown custom malware.

The vulnerability affects certain Cisco devices, and the company suggests that customers monitor the use of credentials for the administrative users network-admin and vdc-admin. Cisco has provided the Cisco Software Checker to help customers identify if their devices are vulnerable to this flaw.

As per Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies are required to address identified vulnerabilities by a specified due date to protect their networks against attacks exploiting the flaws in the catalog. Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure. CISA has instructed federal agencies to rectify this vulnerability by July 23, 2024.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.