Cisco has patched a zero-day vulnerability in its NX-OS software that was exploited in attacks back in April to install previously unknown malware on vulnerable switches. The attacks have been linked to a Chinese state-sponsored threat actor known as Velvet Ant by cybersecurity firm Sygnia, who reported the incidents to Cisco. The threat actors were able to gain administrator-level credentials to access Cisco Nexus switches and deploy custom malware, allowing them to remotely connect to compromised devices, upload files, and execute malicious code. The vulnerability (CVE-2024-20399) can be exploited by local attackers with Administrator privileges to execute arbitrary commands with root permissions on affected devices. Cisco recommends monitoring and changing administrative user credentials regularly and offers a tool to check for exposure to the vulnerability. This incident follows a previous warning by Cisco of a state-backed hacking group exploiting zero-day bugs in ASA and FTD firewalls in a campaign targeting government networks worldwide.