Cisco has patched a command-line injection flaw (CVE-2024-20399, CVSS 6.0) in its network management platform, used to manage switches in data centers. This vulnerability allows authenticated attackers to execute arbitrary commands as root on the underlying operating system of affected devices. Researchers from Sygnia report that the China-backed threat group, Velvet Ant, has already exploited this flaw. The issue arises from insufficient validation of arguments in specific configuration CLI commands within Cisco NX-OS Software. It affects several Cisco devices, including various Nexus series switches. Although rated medium risk due to the need for admin credentials, the flaw’s exploitation by Velvet Ant underscores the urgency of applying Cisco’s released patches. Velvet Ant used the flaw to execute commands and deploy custom malware, highlighting the importance of securing network environments. Organizations should patch vulnerable devices, use privileged access management solutions, enforce strong password policies, restrict outbound connections from switches, and adhere to security best practices to mitigate further risks.