{ "id": "ca73b840-4fd8-432e-9de2-d6da45bdebbe", "created_at": "2026-04-06T00:08:18.516385Z", "updated_at": "2026-04-10T03:36:19.012735Z", "deleted_at": null, "sha1_hash": "8cce2d674351f14e9873ecd3f6ca2210e6dd68e0", "title": "China-Nexus Threat Group ‘Velvet Ant’ Exploits Cisco Zero-Day (CVE-2024-20399) to Compromise Nexus Switch Devices – Advisory for Mitigation and Response", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56152, "plain_text": "China-Nexus Threat Group ‘Velvet Ant’ Exploits Cisco Zero-Day\r\n(CVE-2024-20399) to Compromise Nexus Switch Devices –\r\nAdvisory for Mitigation and Response\r\nBy Sygnia\r\nPublished: 2024-07-01 · Archived: 2026-04-05 15:08:41 UTC\r\nLearn about the forensic investigation by Sygnia, the cyber espionage operation by Velvet Ant, and best practices\r\nfor safeguarding your network against sophisticated threats.\r\nOverview\r\nOn July 1, Cisco published an advisory regarding CVE-2024-20399, a newly discovered command\r\ninjection vulnerability in the Cisco NX-OS Software CLI. This vulnerability affects a wide range of Cisco\r\nNexus devices.\r\nSygnia discovered and reported this vulnerability to Cisco and provided detailed information about the\r\nexploit and the subsequent attack flow.\r\nThe vulnerability was identified as part of a larger forensic investigation performed by Sygnia of a China-nexus cyber espionage operation that was conducted by a threat actor Sygnia dubs as ‘Velvet Ant’.\r\nFollowing Velvet Ant’s exploitation of CVE-2024-20399, the group successfully executed malicious code\r\non the underlying Linux OS of the Nexus switch.\r\nNetwork appliances, particularly switches, are often not monitored, and their logs are frequently not\r\nforwarded to a centralized logging system. This lack of monitoring creates significant challenges in\r\nidentifying and investigating malicious activities.\r\nConsistently applying and adhering to security best practices ensures resilient defense mechanisms,\r\neffectively safeguarding against sophisticated threats, including state sponsored attacks, such Velvet Ant.\r\nIntroduction\r\nBackground\r\nCisco NX-OS Software is a network operating system specifically used for Cisco’s Nexus series of switches.\r\nAlthough NX-OS is based on a Linux kernel, it abstracts away the underlying Linux environment and provides its\r\nown set of commands using the NX-OS CLI. In order to execute commands on the underlaying Linux operating\r\nsystem from the Switch management console, an attacker would need a “jailbreak” type of vulnerability to escape\r\nthe NX-OS CLI context.\r\nCVE-2024-20399 that was identified by Sygnia allows an attacker with valid administrator credentials to the\r\nSwitch management console to escape the NX-OS CLI and execute arbitrary commands on the Linux underlaying\r\noperating system.\r\nhttps://www.sygnia.co/threat-reports-and-advisories/china-nexus-threat-group-velvet-ant-exploits-cisco-0-day/\r\nPage 1 of 4\n\nSygnia identified that CVE-2024-20399 was exploited in the wild by a China-nexus threat group as a ‘zero-day’\r\nand shared the details of the vulnerability with Cisco. By exploiting this vulnerability, a threat group – dubbed\r\n‘Velvet Ant’ – successfully executed commands on the underlying operating system of Cisco Nexus devices. This\r\nexploitation led to the execution of a previously unknown custom malware that allowed the threat group to\r\nremotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices.\r\nRelevance and Impact for Your Organization\r\nCisco Nexus switches are prevalent in enterprise environments, especially within data centers. Exploiting the\r\nidentified vulnerability requires the threat group to possess valid administrator-level credentials and have network\r\naccess to the Nexus switch. Given that most Nexus switches are not directly exposed to the internet, a threat group\r\nmust first achieve initial access to the organization’s internal network to exploit this vulnerability. Consequently,\r\nthe overall risk to organizations is reduced by the inherent difficulty in obtaining the necessary access.\r\nDespite the substantial pre-requisites for exploiting the discussed vulnerability, this incident demonstrates the\r\ntendency of sophisticated threat groups to leverage network appliances – which are often not sufficiently protected\r\nand monitored – to maintain persistent network access; the incident also underscores the critical importance of\r\nadhering to security best practices as a mitigation against this type of threat. The recommended mitigation\r\nstrategies are detailed in the Hardening and Prevention section below. \r\nWhat You Should Do\r\nGeneral Details and Affected Products\r\nThe vulnerability has CVE ID CVE-2024-20399, and a CVSS score of 6.0 (medium severity).\r\nAs of version 1.0 of Cisco’s advisory regarding the CVE, the following products are affected:\r\nMDS 9000 Series Multilayer Switches (CSCwj97007) *\r\nNexus 3000 Series Switches (CSCwj97009)\r\nNexus 5500 Platform Switches (CSCwj97011)\r\nNexus 5600 Platform Switches (CSCwj97011)\r\nNexus 6000 Series Switches (CSCwj97011)\r\nNexus 7000 Series Switches (CSCwj94682) *\r\nNexus 9000 Series Switches in standalone NX-OS mode (CSCwj97009) *\r\n* See the detailed list of affected products in Cisco’s advisory.\r\nPatching\r\nCisco has released software updates that address the vulnerability described in this advisory. Updating the systems\r\nof affected devices is the primary mitigation strategy for licensed devices. For cases in which software updates are\r\nnot available, this incident demonstrates the critical importance of adopting security best practices to prevent\r\naccess to devices in the first place.\r\nHardening and Prevention\r\nhttps://www.sygnia.co/threat-reports-and-advisories/china-nexus-threat-group-velvet-ant-exploits-cisco-0-day/\r\nPage 2 of 4\n\nThe prevention and hardening strategies outlined below are designed to provide organizations with robust\r\nmeasures to counter threats related to unauthorized access and command execution vulnerabilities in network\r\nequipment such as CVE-2024-20399.\r\n1. Restrict administrative access: Utilize a Privileged Access Management (PAM) solution or a dedicated,\r\nhardened, jump server with multi-factor authentication (MFA) enforced, to restrict access to network\r\nequipment. If these options are not feasible, restrict access to specific network addresses, such as an Out-Of-Band (OOB) network. Implementing a secure point for management access significantly limits a threat\r\ngroups’ ability to gain access to switches and other network equipment without being detected.\r\n2. Use central authentication, authorization, and accounting management for users (AAA): Utilizing\r\nTACACS+ and systems such as Cisco ISE can help streamline and enhance security, especially in\r\nenvironments with numerous switches. Centralized user management ensures that local user accounts are\r\nnot scattered across individual switches, and simplifies monitoring, password rotation, and access reviews.\r\nAdditionally, in the event of a compromise, centralized management allows for quick and efficient user\r\nremediation across all network equipment.\r\n3. Enforce a strong password policy and maintain good password hygiene: Although passwords should\r\nnot be the sole security measure, ensuring that administrative users have complex, securely stored\r\npasswords is crucial. Preferably, use a Privileged Identity Management (PIM) solution that can auto-rotate\r\nadministrative account passwords, or a password vault with restricted access. Avoid storing passwords in\r\nunsecured locations, such as Excel spreadsheets or shared folders.\r\n4. Restrict outbound internet access for devices: Restrict switches from initiating outbound connections to\r\nthe internet to reduce the risk of them being exploited by external threats, or used to communicate with\r\nmalicious actors. Implement strict firewall rules and access control lists (ACLs) to ensure that only\r\nnecessary traffic is allowed, further enhancing the security of your network infrastructure.\r\n5. Implement regular patch management and vulnerability management practices: Regularly review and\r\napply patches to all network devices to address newly discovered vulnerabilities such as CVE-2024-20399\r\nto reduce the risk of exploitation. Utilize automated tools such as vulnerability scanners to identify and\r\nprioritize existing vulnerabilities in network equipment.\r\nMonitoring and Detection\r\nNetwork equipment, especially switches, often lacks adequate monitoring by organizations. Enhancing visibility\r\nand forwarding logs to a central logging solution are crucial first steps in identifying malicious activities on\r\nnetwork devices. To monitor for exploitation attempts, consider the following actions:\r\n1. Enable Syslog on All Switches: Ensure that all network switches are configured to send log data to a\r\ncentralized Syslog server.\r\n1. Cisco supports configuring different logging levels for specific modules.\r\n2. By default, Cisco switches only log failed authentication attempts. Consider changing the\r\nAUTHPRIV level to 6 to also include successful authentication attempts.\r\n2. Set Up SIEM Integration: Integrate switch logs with a Security Information and Event Management\r\n(SIEM) system to correlate events and detect anomalies.\r\n3. Configure Alerts: Utilize syslog information to establish alerts that help identify suspicious activities. For\r\ninstance, set up alerts for SSH connections that do not originate from an authorized jump host, and for SSH\r\nhttps://www.sygnia.co/threat-reports-and-advisories/china-nexus-threat-group-velvet-ant-exploits-cisco-0-day/\r\nPage 3 of 4\n\nconnections originating from network equipment.\r\n4. Set up Network Monitoring: Regularly analyze network traffic to identify anomalous patterns associated\r\nwith Cisco switches, with a focus on traffic involving management ports such as SSH and Telnet.\r\n5. Conduct Periodic Threat Hunts: Design threat hunts focused on network devices.\r\n1. Exploitation of CVE-2024-20399 can be identified by analyzing commands executed on the device\r\nand searching for anomalies; such commands may include the output of the ‘show accounting log’\r\ncommand.\r\n2. To identify a compromised switch running the malware deployed by Velvet Ant, analyze the output\r\nof ‘show sockets connection’, and search for processes listening on high ports.\r\n3. Note that to validate if a switch that exhibits suspicious indicators is indeed compromised, access to\r\nthe underlying Linux operating system is required.\r\n6. Monitor Velvet Ant’s IOCs and TTPs: Sygnia recently published a detailed blog post on the group,\r\nproviding additional insights into their methods. Use the information in the blog to enhance detection\r\ncapabilities, and to detect whether the threat group is present or active within your network.\r\nAppendices\r\nReferences\r\nCisco Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cmd-injection-xD9OhyOP\r\nSygnia’s blog on Velvet Ant:\r\nhttps://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/ \r\nHow Sygnia Can Help\r\nSygnia offers focused threat hunts and incident response services to navigate the challenges posed by CVE-2024-\r\n20399. Our experts are ready to assist in swiftly securing your environment against this and all vulnerabilities. \r\nIf you were impacted by this attack or are seeking guidance on how to prevent similar attacks, please contact us at\r\ncontact@sygnia.co or our 24-hour hotline +1-877-686-8680.\r\nThis advisory and any information or recommendation contained here has been prepared for general informational\r\npurposes and is not intended to be used as a substitute for professional consultation on facts and circumstances\r\nspecific to any entity. While we have made attempts to ensure the information contained herein has been obtained\r\nfrom reliable sources and to perform rigorous analysis, this advisory is based on initial rapid study, and needs to\r\nbe treated accordingly. Sygnia is not responsible for any errors or omissions, or for the results obtained from the\r\nuse of this Advisory. This advisory is provided on an as-is basis, and without warranties of any kind.\r\nSource: https://www.sygnia.co/threat-reports-and-advisories/china-nexus-threat-group-velvet-ant-exploits-cisco-0-day/\r\nhttps://www.sygnia.co/threat-reports-and-advisories/china-nexus-threat-group-velvet-ant-exploits-cisco-0-day/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://www.sygnia.co/threat-reports-and-advisories/china-nexus-threat-group-velvet-ant-exploits-cisco-0-day/" ], "report_names": [ "china-nexus-threat-group-velvet-ant-exploits-cisco-0-day" ], "threat_actors": [ { "id": "822063cf-d9bd-499a-9715-70d95881378f", "created_at": "2025-04-23T02:00:55.295207Z", "updated_at": "2026-04-10T02:00:05.254566Z", "deleted_at": null, "main_name": "Velvet Ant", "aliases": [ "Velvet Ant" ], "source_name": "MITRE:Velvet Ant", "tools": [ "PlugX", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "0c0d8f44-d131-41c8-a693-efb687e777f1", "created_at": "2024-06-20T02:02:10.211899Z", "updated_at": "2026-04-10T02:00:04.962606Z", "deleted_at": null, "main_name": "Velvet Ant", "aliases": [], "source_name": "ETDA:Velvet Ant", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "ESRDE", "Kaba", "Korplug", "POISONPLUG.SHADOW", "PlugX", "RedDelta", "SAMRID", "ShadowPad Winnti", "Sogu", "TIGERPLUG", "TVT", "Thoper", "VELVETSTING", "VELVETTAP", "XShellGhost", "Xamtrav" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434098, "ts_updated_at": 1775792179, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8cce2d674351f14e9873ecd3f6ca2210e6dd68e0.pdf", "text": "https://archive.orkl.eu/8cce2d674351f14e9873ecd3f6ca2210e6dd68e0.txt", "img": "https://archive.orkl.eu/8cce2d674351f14e9873ecd3f6ca2210e6dd68e0.jpg" } }