Cyber Resilience

CVE-2024-20399

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 01 July 2024

Published
01 July 2024
Modified
28 October 2025
KEV Added
02 July 2024
Patch
CVSS Score v3.1 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0066 71.6th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-20399 is a medium-severity OS Command Injection (CWE-78) vulnerability in Cisco Nx-Os. Its CVSS base score is 6.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 28.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

A vulnerability in the CLI of Cisco NX-OS Software allows an authenticated user possessing Administrator credentials to execute arbitrary commands as root on the underlying operating system. The issue stems from insufficient validation of arguments supplied to specific configuration CLI commands and is tracked as CWE-78. It affects multiple Cisco Nexus switch platforms running vulnerable NX-OS releases, although the listed Nexus 3000, 7000 (8.1(1) and later), and 9000 standalone devices already permit administrative users to reach the underlying OS via the bash-shell feature and therefore receive no additional capability from this flaw. The CVSS 3.1 base score is 6.0 with the vector AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N.

An attacker must already hold Administrator credentials on an affected device. By supplying crafted input to an impacted configuration command, the attacker can run arbitrary commands on the host OS with root privileges. On devices that do not expose the bash-shell feature by default, this constitutes an escalation from CLI-restricted administrative access to full root control of the underlying system.

The Cisco Security Advisory cisco-sa-nxos-cmd-injection-xD9OhyOP describes the vulnerability and provides fixed software releases. CISA has added the CVE to its Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild use.

Public reporting attributes exploitation of the issue to the China-nexus threat group Velvet Ant. The EPSS score rose from a low baseline to a peak of 0.0225 on 2024-07-03 shortly after disclosure before receding to the current value of 0.0066, indicating a transient increase in observed exploitation interest following publication.

EU & UK References

Vulnerability details

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated user in possession of Administrator credentials to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient…

more

validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root. Note: To successfully exploit this vulnerability on a Cisco NX-OS device, an attacker must have Administrator credentials. The following Cisco devices already allow administrative users to access the underlying operating system through the bash-shell feature, so, for these devices, this vulnerability does not grant any additional privileges: Nexus 3000 Series Switches Nexus 7000 Series Switches that are running Cisco NX-OS Software releases 8.1(1) and later Nexus 9000 Series Switches in standalone NX-OS mode

CWE(s)
KEV Date Added
02 July 2024

Related Threats

Threat-Actor AttributionAI

Velvet Ant (G1047)
Sygnia report attributes exploitation of this Cisco NX-OS zero-day to China-nexus group Velvet Ant.

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE-2024-20399 enables authenticated admins to inject crafted arguments into NX-OS CLI commands for arbitrary root command execution on the underlying Linux OS, facilitating Network Device CLI abuse (T1059.008), Unix Shell execution (T1059.004), and privilege escalation from admin to root (T1068).

Affected Assets

cisco
nx-os
10.1\(1\), 10.1\(2\), 10.2\(1\), 10.2\(1q\), 10.2\(2\)

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly counters the insufficient argument validation (CWE-78) in CLI commands that permits crafted input to achieve root command execution.

prevent

Limits the privileges granted to Administrator accounts so that even successful exploitation cannot yield unrestricted root access on the underlying OS.

prevent

Restricts available CLI commands and features to only those required, reducing the attack surface of vulnerable configuration commands on affected NX-OS devices.

References