CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-20399

High Severity
Cisco
SVRS
65/100
CVSSv3
6.7/10
EPSS
0.00137/1

CVE-2024-20399 allows arbitrary command execution as root on Cisco NX-OS devices. This vulnerability stems from insufficient validation in CLI commands, potentially letting administrators with malicious intent execute commands as root. While it has a CVSS score of 6.7, the SVRS score is 65.

CVE-2024-20399 allows an authenticated user with Administrator privileges to execute arbitrary commands as root on affected Cisco NX-OS devices. This critical vulnerability is due to insufficient validation of arguments passed to specific CLI configuration commands. An attacker exploiting this can gain root privileges and execute commands on the underlying operating system. Note that certain Nexus switches already offer bash-shell access for administrators. This vulnerability is significant because attackers can use it to compromise systems and execute malicious code. Although rated moderate by CVSS, active exploits exist for it.

TAGS
In The Wild
Exploit Avaliable
CISA KEV
VECTOR STRING
CVSS:3.1
AV:L
AC:L
PR:H
UI:N
S:U
C:H
I:H
A:H
PUBLICATION DATE2024-07-01
LAST MODIFIED2025-01-27
Eye Icon
SOCRadar
AI Insight

Description

CVE-2024-20399 is a vulnerability in the CLI of Cisco NX-OS Software that could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands.

Key Insights

  • SVRS Score of 73: This indicates a high severity vulnerability that requires immediate attention.
  • Active Exploits: Active exploits have been published, making this vulnerability a high-priority target for attackers.
  • CISA Warning: The Cybersecurity and Infrastructure Security Agency (CISA) has warned of this vulnerability, calling for immediate and necessary measures.
  • In the Wild: The vulnerability is actively exploited by hackers, making it a critical threat to organizations.

Mitigation Strategies

  • Apply Software Updates: Install the latest software updates from Cisco to patch the vulnerability.
  • Restrict Access to CLI: Limit access to the CLI to only authorized personnel.
  • Enable Logging and Monitoring: Configure logging and monitoring systems to detect and respond to suspicious activity.
  • Use Network Segmentation: Segment the network to limit the potential impact of an exploit.

Additional Information

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

TitleSoftware LinkDate
Blootus/CVE-2024-20399-Cisco-RCEhttps://github.com/Blootus/CVE-2024-20399-Cisco-RCE2024-07-02
Cisco NX-OS Command Injection Vulnerabilityhttps://www.cisa.gov/search?g=CVE-2024-203992024-07-02
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

Weathering the storm: In the midst of a Typhoon
Cisco Talos2025-02-20
Weathering the storm: In the midst of a Typhoon | Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies, by a threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention.SummaryCisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies. The activity, initially <a href
blogger.com
rss
forum
news
Holding Back Salt Typhoon + Other Chinese APT CVEs
Chris Garland2024-12-12
Holding Back Salt Typhoon + Other Chinese APT CVEs | Over the past several years, US Federal Agencies and private sector companies have observed China-based threat actors targeting network and telecommunication critical infrastructure. A wave of recent reports have disclosed that these attacks have succeeded in compromising government and industry targets to a far greater extent than previously thought. As a result, CISA has issued [&#8230;] The post Holding Back Salt Typhoon + Other Chinese APT CVEs appeared first on <a href
eclypsium.com
rss
forum
news
U.S. agency cautions employees to limit phone use due to Salt Typhoon hack of telco providers
Pierluigi Paganini2024-11-10
U.S. agency cautions employees to limit phone use due to Salt Typhoon hack of telco providers | US CFPB warns employees to avoid work-related mobile calls and texts following China-linked Salt Typhoon hack over security concerns. The US government’s Consumer Financial Protection Bureau (CFPB) advises employees to avoid using cellphones for work after China-linked APT group Salt Typhoon hackers breached major telecom providers. The Consumer Financial Protection Bureau (CFPB) is a U.S. [&#8230;] <h2 class="wp-block-heading
securityaffairs.co
rss
forum
news
Cisco patches actively exploited zero-day flaw in Nexus switches - CSO Online
2024-07-02
Cisco patches actively exploited zero-day flaw in Nexus switches - CSO Online | News Content: The moderate-severity vulnerability has been observed being exploited in the wild by Chinese APT Velvet Ant. Credit: Dmytro Tyshchenko / Shutterstock Cisco has released patches for several series of Nexus switches to fix a vulnerability that could allow attackers to hide the execution of bash commands on the underlying operating system. Although the flaw is rated with moderate severity because it requires administrative credentials to exploit, it has been exploited in the wild since April, showing that attackers don’t target just critical or high-risk
google.com
rss
forum
news
Cisco warns of backdoor admin account in Smart Licensing Utility - BleepingComputer
2024-09-04
Cisco warns of backdoor admin account in Smart Licensing Utility - BleepingComputer | News Content: Cisco has removed a backdoor account in the Cisco Smart Licensing Utility (CSLU) that can be used to log into unpatched systems with administrative privileges. CSLU is a Windows application that helps manage licenses and linked products on-premises without connecting them to Cisco's cloud-based Smart Software Manager solution. The company says this critical vulnerability (CVE-2024-20439) allows unauthenticated attackers to log into unpatched systems remotely using an "undocumented static user credential for an administrative account." "A successful exploit could allow the attacker to
google.com
rss
forum
news
Squashing the Velvet Ant: How Eclypsium Protects Cisco NX-OS and F5 Load Balancers
Paul Asadoorian2024-11-01
Squashing the Velvet Ant: How Eclypsium Protects Cisco NX-OS and F5 Load Balancers | Introduced in 2006, Cisco’s NX-OS powers the Cisco Nexus series network switches primarily targeted at large enterprise data centers and service providers. Cisco’s NX-OS represents a different architecture than Cisco IOS (Internetworking Operating System), implementing a Linux sub-system that allows for better memory management, process scheduling, and device driver support. In addition to allowing Cisco [&#8230;] The post Squashing the Velvet Ant: How Eclypsium Protects
eclypsium.com
rss
forum
news
Cisco warns of backdoor admin account in Smart Licensing Utility - BleepingComputer
2024-09-04
Cisco warns of backdoor admin account in Smart Licensing Utility - BleepingComputer | News Content: By Sergiu Gatlan 12:58 PM Cisco has removed a backdoor account in the Cisco Smart Licensing Utility (CSLU) that can be used to log into unpatched systems with administrative privileges. CSLU is a Windows application that helps manage licenses and linked products on-premises without connecting them to Cisco's cloud-based Smart Software Manager solution. The company says this critical vulnerability (CVE-2024-20439) allows unauthenticated attackers to log into unpatched systems remotely using an "undocumented static user credential for an administrative account." "A successful
google.com
rss
forum
news

Social Media

Cisco fixed an actively exploited NX-OS zero-day, the flaw was exploited to install previously unknown malware as root on vulnerable switches. Cisco addressed an NX-OS zero-day, tracked as CVE-2024-20399 (CVSS score of ... https://t.co/zNy1GtHoqv
0
0
0
Actively exploited CVE : CVE-2024-20399
1
0
0
🚨#DataBreach🚨 On July 1, 2024, Cisco released an advisory about a command injection vulnerability in its NX-OS software, identified as CVE-2024-20399. This vulnerability, used by a threat group known as Velvet Ant, allows authenticated users wi... https://t.co/nbwVRiBr5v iocs: https://buff.ly/4cH0YJN
0
0
0
🚨#DataBreach🚨 On July 1, 2024, Cisco released an advisory about a command injection vulnerability in its NX-OS software, identified as CVE-2024-20399. This vulnerability, used by a threat group known as Velvet Ant, allows authenticated users wi... https://t.co/nbwVRiBr5v
0
0
0
7) CVE-2024-20399: Chinese Hackers Exploit Cisco Switch Zero-Day Vulnerability to Control Networks New details have surfaced regarding a Chinese threat group known as Velvet Ant, which has been exploiting a recently disclosed and now-patched zero-day vulnerability in Cisco
1
0
0
#China-Linked APT Group Velvet Ant Exploits Cisco #ZeroDay (CVE-2024-20399) Vulnerability https://t.co/XlU3H67xxx
0
0
0
China-linked 'Velvet Ant' group exploits #ZeroDay (CVE-2024-20399) on #CiscoNexus switches, deploying stealthy 'VELVETSHELL' #malware for long-term network persistence. #CyberSecurity #ThreatAlert https://t.co/KaM6uIKjcS
0
0
0
Sygnia uncovers the China-Nexus group ‘Velvet Ant’ leveraging a zero-day exploit (CVE-2024-20399) on Cisco Switch appliances, escalating evasion tactics to maintain long-term network persistence. https://t.co/yUYAFKuuJ9 @sygnia_labs
0
2
6
"Chinese hackers exploited a zero-day flaw in Cisco switches to take control of the system undetected. The threat group, Velvet Ant, weaponized CVE-2024-20399 to deliver custom malware and gain extensive control. #CyberSecurity #ZeroDay #Cisco" https://t.co/OwqYaPxL49
0
0
1
Earlier this year, we observed the advanced #threatgroup "Velvet Ant” leveraging a zero day exploit (CVE-2024-20399) to compromise and control on-premises Cisco Switch appliances. In the latest article in our series on Velvet Ant, we provide an in-depth analysis of the TTPs https://t.co/goYzugBshv
0
0
0

Affected Software

Configuration 1
TypeVendorProduct
OSCisconx-os

References

ReferenceLink
[email protected]https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cmd-injection-xD9OhyOP
[email protected]https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cmd-injection-xD9OhyOP
[email protected]https://www.sygnia.co/threat-reports-and-advisories/china-nexus-threat-group-velvet-ant-exploits-cisco-0-day/
AF854A3A-2127-422B-91AE-364DA2661108https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cmd-injection-xD9OhyOP
AF854A3A-2127-422B-91AE-364DA2661108https://www.sygnia.co/threat-reports-and-advisories/china-nexus-threat-group-velvet-ant-exploits-cisco-0-day/
[email protected]https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cmd-injection-xD9OhyOP

CWE Details

CWE IDCWE NameDescription
CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence