China-Linked Group Exploits Cisco Switch Flaw for Malware Delivery

Image Credit by Pixabay

VTA-004487 – China-Linked Group Exploits Cisco Switch Flaw for Malware Delivery

A cyberespionage group possibly linked to China has leveraged a zero-day exploit in Cisco’s NX-OS software to deploy malware on Cisco Nexus switches. The vulnerability, identified as CVE-2024-20399 with a CVSS score of 6.0, involves a command injection flaw that enables an authenticated, local attacker to run arbitrary commands as root on the operating system of a compromised device. Velvet Ant exploited this vulnerability to deploy a custom malware, allowing them to remotely connect to compromised Cisco Nexus devices, upload files, and execute code. Cisco explained that the issue arises from inadequate validation of arguments passed to certain configuration CLI commands, which can be exploited by an attacker using crafted input as the argument for an affected configuration CLI command. Despite the flaw’s ability to execute code, its lower severity is attributed to the requirement for the attacker to already have administrator credentials and access to specific configuration commands. Researchers discovered in-the-wild exploitation of CVE-2024-20399 during a broader forensic investigation conducted over the past year. Cisco noted that it became aware of attempted exploitation of the vulnerability in April 2024. Velvet Ant was first documented by an Israeli cybersecurity firm last month, in connection with a cyber attack targeting an unnamed organization in East Asia for approximately three years. The group established persistence using outdated F5 BIG-IP appliances to stealthily steal customer and financial information. Network appliances, particularly switches, are often not monitored, and their logs are frequently not forwarded to a centralized logging system, making it challenging to identify and investigate malicious activities.



Attack Surface:
Infrastructure, Server OS, Cloud Service, Others


Command and Control, Initial Access, Reconnaissance, Execution


T1049 – System Network Connections Discovery

T1105 – Ingress Tool Transfer

T1562 – Impair Defenses

Indicator of Compromise:


SuperPRO’s Threat Countermeasures Procedures: 
1. Implement Privileged Access Management solution with multifactor authentication enforced
2. Enforce robust password policies and ensure good password hygiene.
3. Enable Syslog on all switches to enhance monitoring capabilities.
4. Regularly conduct patch and vulnerability management.

Contributed by: Varrumen