CVE-2024-20399: Cisco NX-OS Zero-Day Vulnerability Under Active Attack

A zero-day vulnerability (CVE-2024-20399) has been discovered in Cisco NX-OS Software, the operating system powering a wide range of Cisco’s networking devices. This flaw could allow an attacker with administrative credentials to execute commands with the highest privileges on the underlying operating system, potentially leading to a complete takeover of the affected device.

Cisco has confirmed that “In April 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild.”

The vulnerability stems from insufficient validation of arguments passed to specific configuration commands in the NX-OS command-line interface (CLI). An attacker with administrative access could exploit this by crafting malicious input into these commands. Upon successful exploitation, the attacker gains the ability to execute arbitrary commands on the underlying operating system with root privileges.

In some cases, successful exploitation could allow the attacker to execute commands without triggering any system logs, making it difficult to detect the intrusion.

The CVE-2024-20399 vulnerability affects several popular Cisco products, including:

• MDS 9000 Series Multilayer Switches
• Nexus 3000, 5500, 5600, 6000, 7000, and 9000 Series Switches

Specific software releases on these devices are vulnerable, and organizations should immediately review the Cisco advisory for details.

Cisco has released software updates to address this vulnerability, and it is imperative for network administrators to apply these updates immediately. Unfortunately, there are no workarounds available to mitigate this vulnerability, making the updates the sole method of defense.

Additionally, Cisco recommends adhering to standard network security practices, including monitoring and frequently changing administrative user credentials (e.g., network-admin and vdc-admin).