Cisco Nexus switches targeted by large-scale Chinese malware campaign

News
By published

Zero-day was found granting unabated access to Chinese state-sponsored threat actors

An abstract image of a lock against a digital background, denoting cybersecurity.
(Image Credit: TheDigitalArtist / Pixabay) (Image credit: Pixabay)

Chinese threat actors have been found abusing a zero-day vulnerability in certain Cisco switches to take over the devices and install malware.

The findings come courtesy of Sygnia, which recently uncovered a new malicious campaign apparently undertaken by a Chinese state-sponsored threat actor known as Velvet Ant. 

"The threat actors gathered administrator-level credentials to gain access to Cisco Nexus switches and deploy a previously unknown custom malware that allowed them to remotely connect to compromised devices, upload additional files and execute malicious code," Amnon Kushnir, Director of Incident Response at Sygnia, told BleepingComputer.

Monitoring login credentials

The vulnerability has since been patched, so if you’re using any of the below-mentioned models, make sure to apply the fix immediately.

The vulnerability is tracked as CVE-2024-20399 and, according to Cisco, can be abused by local attackers with admin privileges. It grants them the ability to run arbitrary commands with root permissions on NX-OS, the operating system powering the switches. 

"This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command," Cisco said.

Here is the full list of vulnerable endpoints:

MDS 9000 Series Multilayer Switches

Nexus 3000 Series Switches

Nexus 5500 Platform Switches

Nexus 5600 Platform Switches

Nexus 6000 Series Switches

Nexus 7000 Series Switches

Nexus 9000 Series Switches in standalone NX-OS mode

Besides being able to run arbitrary commands with root privileges, the vulnerability also allows the attackers to stay hidden while doing so, since it doesn’t trigger system syslog messages, it was said. 

To look for signs of compromise, Cisco advises network administrators to keep track, and update, the login credentials of network-admin and vdc-admin users. Ultimately, they can use the Cisco Software Checker page to see if any of their devices are vulnerable.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
China
Juniper patches security flaws which could have let hackers take over your router
China
Salt Typhoon hackers used this clever technique to attack US networks
vpn
Ivanti warns another critical security flaw is being attacked
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Cisco, ASUS, QNAP, and Synology devices hijacked to major botnet
China
Chinese hackers targeting Juniper Networks routers, so patch now
Latest in Security
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Latest in News
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC
Oura Ring 4
Activity tracking on Oura Ring is about to get a whole lot better, but I've got bad news about your step count
Google Pixel Buds Pro 2
Cleaned your Pixel Buds Pro 2 recently? If not, you might be getting worse sound
Google Maps on a phone being held in someone's hand
Google Maps is getting two key upgrades, for easier route planning and quicker access to Gemini AI
More about security
Google Chrome

Google Chrome security flaw could have let hackers spy on all your online habits
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.

Broadcom warns of worrying security flaws affecting VMware tools
Apple MacBook Air M3 on yellow background with lowest price text overlay

Need a new MacBook Air? Well I've found 9 discounts you'll not want to miss, including a MacBook Air M4 Amazon deal
See more latest
Most Popular
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
Render of a new RTX 4000 Max-Q gaming laptop.
I can't say I'm surprised, but Nvidia's RTX 5090 laptop GPU has a big performance leap over its predecessor, according to early benchmarks
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Apple Music on a tablet, showing a new Listening Guide feature
Apple Music Classical just got 3 excellent perks in its biggest upgrade since launch
Google Pixel Buds Pro 2
Cleaned your Pixel Buds Pro 2 recently? If not, you might be getting worse sound
Quick move in Civ 7.
Sid Meier's Civilization 7 update 1.1.1 is here and it finally adds a setting that I've wanted since day one
A green claw wraps around the carcass of a monster
Is Lagiacrus coming to Monster Hunter Wilds? Some fans are convinced, and here's why
Gemini on a smartphone.
Gemini 2.5 is now available for Advanced users and it seriously improves Google’s AI reasoning
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC