Unrated severityNVD Advisory· Published Mar 11, 2019· Updated Nov 20, 2024

Cisco NX-OS Software NX-API Command Injection Vulnerability

CVE-2019-1614

Description

A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The vulnerability is due to incorrect input validation of user-supplied data by the NX-API subsystem. An attacker could exploit this vulnerability by sending malicious HTTP or HTTPS packets to the management interface of an affected system that has the NX-API feature enabled. A successful exploit could allow the attacker to perform a command-injection attack and execute arbitrary commands with root privileges. Note: NX-API is disabled by default. MDS 9000 Series Multilayer Switches are affected running software versions prior to 8.1(1b) and 8.2(3). Nexus 3000 Series Switches are affected running software versions prior to 7.0(3)I4(9) and 7.0(3)I7(4). Nexus 3500 Platform Switches are affected running software versions prior to 7.0(3)I7(4). Nexus 2000, 5500, 5600, and 6000 Series Switches are affected running software versions prior to 7.3(4)N1(1). Nexus 9000 Series Switches in Standalone NX-OS Mode are affected running software versions prior to 7.0(3)I4(9) and 7.0(3)I7(4). Nexus 7000 and 7700 Series Switches are affected running software versions prior to 7.3(3)D1(1) and 8.2(3).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cisco NX-OS NX-API command injection vulnerability allows authenticated remote attackers to execute arbitrary commands with root privileges.

Vulnerability

A command injection vulnerability exists in the NX-API subsystem of Cisco NX-OS Software [1]. The issue stems from insufficient input validation of user-supplied data processed by the NX-API feature. An authenticated, remote attacker can exploit this flaw by sending crafted HTTP or HTTPS packets to the management interface of an affected device [1]. NX-API is disabled by default, so exploitation is only possible on systems where it has been explicitly enabled. The following products and versions are affected: MDS 9000 Series Multilayer Switches prior to 8.1(1b) and 8.2(3), Nexus 3000 Series prior to 7.0(3)I4(9) and 7.0(3)I7(4), Nexus 3500 Platform prior to 7.0(3)I7(4), Nexus 2000/5500/5600/6000 Series prior to 7.3(4)N1(1), Nexus 9000 Series in Standalone NX-OS Mode prior to 7.0(3)I4(9) and 7.0(3)I7(4), and Nexus 7000/7700 Series prior to 7.3(3)D1(1) and 8.2(3) [1].

Exploitation

An attacker must have valid credentials to authenticate to the affected device, and the NX-API feature must be enabled on the management interface [1]. The attack does not require any additional privileges or user interaction beyond authentication. The attacker sends specially crafted HTTP or HTTPS requests to the NX-API endpoint, which triggers the command injection due to improper input validation [1].

Impact

A successful exploit allows the attacker to execute arbitrary operating system commands with root privileges on the affected device [1]. This results in complete compromise of the system's confidentiality, integrity, and availability, as the attacker gains full control over the switch or switch family.

Mitigation

Cisco has released free software updates to address this vulnerability [1]. The advisory provides specific version recommendations for each affected product line (e.g., MDS 9000 Series upgrade to 8.1(1b) or 8.2(3); Nexus 3000 Series upgrade to 7.0(3)I4(9) or 7.0(3)I7(4); see full list in the Vulnerability section) [1]. Users are advised to upgrade to the appropriate fixed version. As a workaround, administrators can disable the NX-API feature if it is not required for operations [1].

References

Cisco Security Advisory: Cisco NX-OS Software NX-API Command Injection Vulnerability

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Cisco Systems, Inc./Nx Osllm-fuzzy
Range: multiple versions (see description)
Cisco Systems, Inc./MDS 9000 Series Multilayer Switchescpe-rescue
Range: unspecified
Cisco Systems, Inc./Nexus 2000, 5500, 5600, and 6000 Series Switchescpe-rescue
Range: unspecified
Cisco Systems, Inc./Nx Os For Nexus 7700 Series Switchescpe-rescue2 versions
unspecified+ 1 more
- (no CPE)range: unspecified
- (no CPE)range: unspecified
Cisco Systems, Inc./Nx Os For Nexus 5500 Platform Switchescpe-rescue
Range: unspecified
Cisco Systems, Inc./Nexus 9000 Series Fabric Switches in ACI modecpe-rescue
Range: unspecified

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-NXAPI-cmdinjmitrevendor-advisoryx_refsource_CISCO
www.securityfocus.com/bid/107339mitrevdb-entryx_refsource_BID

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000