CVE-2021-1361
📋 TL;DR
This critical vulnerability allows unauthenticated remote attackers to create, delete, or overwrite arbitrary files with root privileges on affected Cisco Nexus switches. Attackers can exploit this by sending crafted TCP packets to port 9075, potentially adding unauthorized user accounts or modifying device configuration. Affected devices include Cisco Nexus 3000 and 9000 Series Switches running NX-OS Software in standalone mode.
💻 Affected Systems
- Cisco Nexus 3000 Series Switches
- Cisco Nexus 9000 Series Switches
📦 What is this software?
Nx Os by Cisco
Nx Os by Cisco
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise including persistent backdoor installation, configuration tampering, credential theft, and potential lateral movement to other network segments.
Likely Case
Unauthorized administrative access, configuration changes, data exfiltration, and service disruption.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to port 9075.
🎯 Exploit Status
Exploitation requires only network access to TCP port 9075 and knowledge of the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Cisco Security Advisory for specific fixed releases per platform
Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-3000-9000-fileaction-QtLzDRy2
Restart Required: Yes
Instructions:
1. Review Cisco Security Advisory for fixed releases. 2. Download appropriate software from Cisco.com. 3. Backup configuration. 4. Upgrade to fixed release following Cisco NX-OS upgrade procedures. 5. Verify upgrade success and functionality.
🔧 Temporary Workarounds
Block TCP Port 9075
allUse access control lists (ACLs) to block external access to TCP port 9075 on all interfaces.
ip access-list extended BLOCK-9075
deny tcp any any eq 9075
permit ip any any
interface [interface-name]
ip access-group BLOCK-9075 in
Disable Unnecessary Services
allDisable the vulnerable internal file management service if not required.
no feature [service-name]
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected switches from untrusted networks
- Apply ACLs to block all traffic to TCP port 9075 from any source except management stations
🔍 How to Verify
Check if Vulnerable:
Check if TCP port 9075 is listening on interfaces: 'show ip sockets' or 'show running-config | include 9075'Check Version:
show version | include SoftwareVerify Fix Applied:
Verify upgraded to fixed version: 'show version' and confirm port 9075 is not externally accessible📡 Detection & Monitoring
Log Indicators:
- Unexpected connections to TCP port 9075
- File system modification logs
- Authentication logs showing new user creation
Network Indicators:
- TCP packets to port 9075 from unexpected sources
- Unusual file transfer patterns to/from switch
SIEM Query:
source_port=9075 OR dest_port=9075 AND (protocol=TCP) AND (action=allow OR bytes_sent>0)