Chinese State-Backed Hackers Exploit Newly Patched Zero-Day Vulnerability in Cisco Nexus Switches

A newly patched zero-day vulnerability has been exploited by Chinese state-backed hackers to compromise Cisco Nexus switches, researchers have revealed. Cisco released a patch for CVE-2024-20399 on July 2, 2024. This flaw, found in the Command Line Interface (CLI) of Cisco NX-OS software, could allow an authenticated local attacker to execute arbitrary commands as root on a targeted device.

Vulnerability Details and Exploit Mechanics

CVE-2024-20399 is a critical vulnerability stemming from insufficient validation of arguments passed to specific configuration CLI commands. An attacker could exploit this flaw by providing crafted input as the argument of an affected configuration command. A successful exploit would enable the attacker to execute arbitrary commands on the underlying operating system with root privileges. Despite the severe potential impact, the vulnerability has been assigned a CVSS score of 6 due to the requirement for the attacker to have administrator privileges and access to specific configuration commands.

“This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands,” the advisory noted. “An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root.”

Discovery and Impact

The exploitation of CVE-2024-20399 was first discovered in April by security vendor Sygnia, which identified that the Chinese threat group known as Velvet Ant had leveraged the vulnerability. This group has a history of sophisticated cyber-espionage campaigns, previously compromising F5 BIG-IP load balancers for persistence.

Sygnia’s investigation revealed that the exploitation led to the deployment of a previously unknown custom malware. This malware allowed Velvet Ant to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on these devices. The attack underscores the persistent nature of sophisticated threat actors and their ability to exploit network appliances that are often inadequately protected and monitored.

“Despite the substantial pre-requisites for exploiting the discussed vulnerability, this incident demonstrates the tendency of sophisticated threat groups to leverage network appliances – which are often not sufficiently protected and monitored – to maintain persistent network access; the incident also underscores the critical importance of adhering to security best practices as a mitigation against this type of threat,” Sygnia explained.

Previous Exploits and Threat Actor Profile

Velvet Ant has been previously linked to a multi-year cyber-espionage campaign, wherein the group maintained persistent access to target networks by compromising network infrastructure devices like F5 BIG-IP load balancers. This sophisticated threat actor is believed to be state-sponsored and exhibits robust capabilities, including the deployment of custom malware and advanced persistence mechanisms.

During the recent attack on Cisco Nexus switches, Velvet Ant demonstrated agility and adaptability, using the vulnerability to establish a foothold and execute custom malware for remote operations. The malware facilitated the upload of additional malicious files and execution of commands, allowing the group to maintain control over compromised devices.

Recommendations for Mitigation

In light of these events, Sygnia has urged Cisco customers to enhance their security measures, particularly in the areas of centralized logging and network monitoring related to switches. Key recommendations include:

  1. Regular Patching: Ensure that all devices are updated with the latest security patches to mitigate vulnerabilities.
  2. Good Password Hygiene: Implement strong, unique passwords and regularly update them to prevent unauthorized access.
  3. Restricted Admin Access: Limit administrative privileges to essential personnel only and regularly review access controls.
  4. Enhanced Monitoring: Improve centralized logging and network monitoring to detect and respond to suspicious activities promptly.

Sygnia’s advisory emphasizes the importance of a comprehensive security strategy that includes these measures to protect against sophisticated threat actors.


The exploitation of CVE-2024-20399 by Velvet Ant highlights the ongoing threat posed by state-sponsored cyber-espionage groups. The incident serves as a reminder of the critical importance of robust security practices, including regular patching, strong password management, restricted access controls, and enhanced monitoring. By adhering to these best practices, organizations can better defend against advanced persistent threats and maintain the integrity of their network infrastructure.

For more detailed insights and cybersecurity strategies, visit Sygnia’s advisory.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time –

Copyright © Netizen Corporation. All Rights Reserved.