Cisco, the networking giant, has patched a critical security vulnerability in its Nexus operating system (NX-OS) software. The zero-day vulnerability, ranked with a medium-severity score, is known as CVE-2024-20399 and was found in the command line interface (CLI) of Cisco’s widely used Nexus switches.
The vulnerability makes it possible for an attacker who has valid admin credentials to run commands on the underlying Linux OS of Nexus products. According to Cisco’s advisory dated July 1, 2020, successful exploitation leads to root privileges and allows the attacker to:
- Access sensitive data
- Control critical systems
- Modify important files
This sort of access constitutes a significant risk to business integrity and data security, particularly for organizations that depend on Cisco Nexus infrastructure.
Discovery and Exploitation in the Wild
Cisco’s Product Security Incident Response Team learned of the vulnerability’s active exploitation in April, thanks to researchers at cybersecurity firm Sygnia. The discovery was part of a larger forensic investigation into a Chinese cyber espionage operation by a threat actor, “Velvet Ant.”
Velvet Ant: A Persistent Threat
Sygnia’s research revealed that Velvet Ant had previously succeeded in maintaining persistence within a large organization’s corporate network for three years. The threat actor achieved this by exploiting flaws in legacy F5 BigIP load balancers, demonstrating their sophisticated capabilities and long-term approach to cyber espionage.
The discovery of this zero-day vulnerability in Cisco’s NX-OS has raised concerns among cybersecurity experts:
Supply Chain Risks
Narayana Pappu, CEO of Zendata, highlighted the significant supply chain risks associated with the vulnerability: “Cisco Nexus switches are the backbone of data center networks, creating substantial supply chain risks for many types of companies.”
Insider Threats and Zero Trust
Venky Raju, Field CTO at ColorTokens, emphasized the potential for attackers to become “insiders” within enterprise networks:
“Most businesses have not implemented adequate safeguards against insider threats, which presents a significant risk. This is a stark reminder to adopt a zero-trust mindset and implement micro-segmentation to minimize lateral movement across the entire network.”
Recommendations for Organizations
Therefore, considering this vulnerability and the permanent danger from advanced adversaries such as Velvet Ant, organizations should take the following actions:
- Immediately apply Cisco security patch for vulnerable NX-OS devices
- Establish strong detection and monitoring capabilities
- Implement zero-trust security model
- Employ micro-segmentation to control lateral movement
- Regularly audit and update access controls (especially administrative accounts)
- Improve supply chain security, especially as it relates to core network infrastructure
