5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.7 Medium
AI Score
Confidence
High
0.023 Low
EPSS
Percentile
89.7%
A China-nexus cyber espionage group named Velvet Ant has been observed exploiting a zero-day flaw in Cisco NX-OS Software used in its switches to deliver malware.
The vulnerability, tracked as CVE-2024-20399 (CVSS score: 6.0), concerns a case of command injection that allows an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device.
“By exploiting this vulnerability, Velvet Ant successfully executed a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices,” cybersecurity firm Sygnia said in a statement shared with The Hacker News.
Cisco said the issue stems from insufficient validation of arguments that are passed to specific configuration CLI commands, which could be exploited by an adversary by including crafted input as the argument of an affected configuration CLI command.
What’s more, it enables a user with administrator privileges to execute commands without triggering system syslog messages, thereby making it possible to conceal the execution of shell commands on hacked appliances.
Despite the code execution capabilities of the flaw, the lower severity is due to the fact that successful exploitation requires an attacker to be already in possession of administrator credentials and have access to specific configuration commands. The following devices are impacted by CVE-2024-20399 -
Sygnia said it discovered in-the-wild exploitation of CVE-2024-20399 during a broader forensic investigation that happened during the past year. Cisco, however, noted that it became aware of attempted exploitation of the vulnerability in April 2024.
Velvet Ant was first documented by the Israeli cybersecurity firm last month in connection with a cyber attack targeting an unnamed organization located in East Asia for a period of about three years by establishing persistence using outdated F5 BIG-IP appliances in order to stealthily steal customer and financial information.
“Network appliances, particularly switches, are often not monitored, and their logs are frequently not forwarded to a centralized logging system,” Sygnia said. “This lack of monitoring creates significant challenges in identifying and investigating malicious activities.”
The development comes as threat actors are exploiting a critical vulnerability affecting D-Link DIR-859 Wi-Fi routers (CVE-2024-0769, CVSS score: 9.8) – a path traversal issue leading to information disclosure – to gather account information such as names, passwords, groups, and descriptions for all users.
“The exploit’s variations […] enable the extraction of account details from the device,” threat intelligence firm GreyNoise said. “The product is End-of-Life, so it won’t be patched, posing long-term exploitation risks. Multiple XML files can be invoked using the vulnerability.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.7 Medium
AI Score
Confidence
High
0.023 Low
EPSS
Percentile
89.7%