Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Network Firewalls, Network Access Control

Cisco Patches an Exploited Zero-Day Vulnerability

China-Nexus Hackers Velvet Ant Exploited the Bug in April, Cisco and Sygnia Say
Cisco Patches an Exploited Zero-Day Vulnerability
Image: Shutterstock

Cisco on Monday patched a zero-day vulnerability discovered months ago that allowed a China-nexus hacker to execute arbitrary commands as root on the compromised devices.

See Also: OnDemand | Where Did the Hackers Go? They Ran(somware): Insights into Ransomware Recovery

The threat group, dubbed Velvet Ant, remotely connected to Cisco's NX-OS software used in switches and executed malicious code. The networking giant in an advisory attributes the discovery to cybersecurity firm Sygnia.

Tracked as CVE-2024-20399, the command injection vulnerability allows an authenticated local attacker to execute arbitrary commands as root.

Network appliances, particularly switches, are often unmonitored, and their logs are frequently not forwarded to a centralized logging system. This already creates "significant challenges" in identifying and investigating malicious activities, Sygnia said. But a lack of log review may not have mattered with this flaw. The vulnerability gives the user administrator privileges to carry out commands without triggering system syslog messages, making it easier to conceal the execution of shell commands.

The vulnerability is rated 6 on the CVSS scale despite its code execution capabilities and the widespread use of Cisco Nexus switches in enterprise environments such as data centers. The score is low because most Nexus switches are not directly exposed to the internet, meaning the attacker would need to already have initial access by possessing admin credentials and specific command configurations for the exploitation to be successful.

Despite the prerequisites necessary to exploit the vulnerability, the incident "demonstrates the tendency of sophisticated threat groups to leverage network appliances, which are often not sufficiently protected and monitored, to maintain persistent network access," Sygnia said.

The potentially state-sponsored threat actor last month used outdated F5 BIG-IP appliances to execute custom malware in order to steal customer and financial data from an undisclosed East Asian company, and the campaign went undetected for three years.

For the new vulnerability, Cisco advises companies to change admin credentials and monitor activity as a preventive measure. Admins can check their devices' exposure on the software checker page.

About the Author

Rashmi Ramesh

Rashmi Ramesh

Assistant Editor, Global News Desk, ISMG

Ramesh has seven years of experience writing and editing stories on finance, enterprise and consumer technology, and diversity and inclusion. She has previously worked at formerly News Corp-owned TechCircle, business daily The Economic Times and The New Indian Express.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.