A China-linked threat actor has been exploiting a zero-day vulnerability in Cisco Nexus devices as part of its cyberespionage campaign, cybersecurity firm Sygnia reported.

Said zero-day (CVE-2024-20399) is an OS command injection issue that allows a local user to escalate privileges on the system. The vulnerability exists due to improper input validation. A local user can execute arbitrary commands as root on the underlying operating system of an affected device.

The flaw impacts the following Cisco products if they are running a vulnerable release of Cisco NX-OS Software: MDS 9000 Series Multilayer Switches, Nexus 3000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 9000 Series Switches in standalone NX-OS mode.

According to Sygnia’s report, the vulnerability has been exploited by a Chinese threat actor known as Velvet Ant to execute commands on the compromised Nexus devices and deploy a previously unreported malware that allowed the attackers to connect remotely to the breached device, upload additional files, and execute code.

Earlier this week, US-based networking products maker Juniper Networks has issued the out-of-band security updates to address a critical vulnerability in some of its routers, which could lead to an authentication bypass. The flaw, identified as CVE-2024-2973, exists due to missing authentication checks when running with a redundant peer. A remote non-authenticated attacker can bypass authentication and take full control over the affected device.

Separately, threat intelligence data outfit GreyNoise reported the exploitation attempts targeting a critical D-Link DIR-859 router flaw (CVE-2024-0769), a path traversal issue, which leads to information disclosure. GreyNoise said that the threat actor has been observed leveraging this vulnerability “to render a different PHP file to dump account names, passwords, groups, and descriptions for all users of the device.”