⚠ Actively exploited
Added to CISA KEV on 2024-07-02. Federal agencies required to patch by 2024-07-23. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2024-20399

CWE-78OS Command Injection7 documents7 sources
Severity
6.7MEDIUM
EPSS
0.8%
top 26.46%
CISA KEV
KEV
Added 2024-07-02
Due 2024-07-23
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Cisco Cisco Nx-os SoftwareCisco Nx-os
Timeline
PublishedJul 1
KEV addedJul 2
Latest updateJul 10
KEV dueJul 23
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated user in possession of Administrator credentials to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command. A successful exploit co

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NExploitability: 0.8 | Impact: 5.2

Affected Packages2 packages

CVEListV5cisco/cisco_nx-os_software318 versions+317
NVDcisco/nx-os262 versions+261

🔴Vulnerability Details

3
GHSA
GHSA-428g-3m2x-46jh: A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlyin2024-07-01
CVEList
Cisco NX-OS Software CLI Command Injection Vulnerability2024-07-01
VulnCheck
Cisco NX-OS Command Injection Vulnerability2024

📋Vendor Advisories

2
CISA
Cisco NX-OS Command Injection Vulnerability2024-07-02
Cisco
Cisco NX-OS Software CLI Command Injection Vulnerability2024-07-01

🕵️Threat Intelligence

1
Bleepingcomputer
CISA urges devs to weed out OS command injection vulnerabilities2024-07-10