Cisco is warning of a zero-day exploit in NX-OS that is being actively targeted by Chinese state-sponsored group Velvet Ant.

According to BleepingComputer, the issue was first reported to Cisco by cybersecurity firm Sygnia. The Velvet Ant group is actively targeting the vulnerability, which is what first tipped it off to the issue.

“Sygnia detected this exploitation during a larger forensic investigation into the China-nexus cyberespionage group we are tracking as Velvet Ant,” Amnon Kushnir, Director of Incident Response at Sygnia, told BleepingComputer.

“The threat actors gathered administrator-level credentials to gain access to Cisco Nexus switches and deploy a previously unknown custom malware that allowed them to remotely connect to compromised devices, upload additional files and execute malicious code.”

Cisco described the exploit in more detail:

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device.

This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root.

Cisco says the following devices are vulnerable:

• MDS 9000 Series Multilayer Switches (CSCwj97007)
• Nexus 3000 Series Switches (CSCwj97009)1
• Nexus 5500 Platform Switches (CSCwj97011)
• Nexus 5600 Platform Switches (CSCwj97011)
• Nexus 6000 Series Switches (CSCwj97011)
• Nexus 7000 Series Switches (CSCwj94682)2
• Nexus 9000 Series Switches in standalone NX-OS mode (CSCwj97009)

The company has released software updates for the impacted NX-OS devices and all customers are advised to update immediately.