Cisco on Monday patched a zero-day vulnerability discovered months ago that allowed a China-nexus hacker to execute arbitrary commands as root on the compromised devices.

The threat group, dubbed Velvet Ant, remotely connected to Cisco’s NX-OS software used in switches and executed malicious code. The networking giant in an advisory attributes the discovery to cybersecurity firm Sygnia.

Tracked as CVE-2024-20399, the command injection vulnerability allows an authenticated local attacker to execute arbitrary commands as root.