Cisco has patched a command-line injection flaw in its network management platform used to manage switches in data centers. The bug (CVE-2024-20399) allows authenticated attackers to execute arbitrary commands as root on the underlying operating system of an affected device. It affects Cisco Nexus series switches and some other products.
The vulnerability is due to insufficient validation of arguments passed to specific configuration CLI commands, allowing an attacker to include crafted input as the argument of an affected command. To exploit this vulnerability, an attacker must have admin-level credentials to the switch management console.
Cisco has released updates that patch the flaw in affected devices. The vulnerability is rated medium risk because it requires valid administrator credentials to exploit. However, it has already been exploited by the China-backed threat group Velvet Ant, which executed arbitrary commands on the underlying Linux OS of a Cisco Nexus switch and uploaded custom malware.
Organizations should prioritize patching any vulnerable devices present on their networks and follow best practices to harden their environments. This includes restricting administrator access, enforcing strong password policies, maintaining regular patch schedules, and limiting switches from initiating outbound connections to the Internet.