LiveActive security incident?Get immediate response
CVE Record

CVE-2020-3394: Cisco Nexus 3000 and 9000 Series Switches Privilege Escalation Vulnerability

A vulnerability in the Enable Secret feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an authenticated, local attacker to issue the enable command and get full administrative privileges. To exploit this vulnerability, the attacker would need to have valid credentials for the affected device. The vulnerability is due to a logic error in the implementation of the enable command. An attacker could exploit this vulnerability by logging in to the device and issuing the enable command. A successful exploit could allow the attacker to gain full administrative privileges without using the enable password. Note: The Enable Secret feature is disabled by default.

HighCVSS 7.8Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2020-3394 lets a user who already has valid access to certain Cisco Nexus switches become a full administrator without the enable password. The issue affects Nexus 3000 and 9000 switches running standalone NX-OS mode when the Enable Secret feature is in use. The feature is disabled by default.

Executive priority

Prioritize remediation where affected switches support critical network segments or shared infrastructure. The issue is not remotely exploitable without credentials, but successful abuse gives full switch control, which can affect confidentiality, integrity, and availability of network operations.

Technical view

Cisco describes a logic error in the NX-OS enable command implementation. An authenticated local attacker with valid device credentials could issue the enable command and gain full administrative privileges without supplying the enable password. The CVSS 3.0 score is 7.8 with local access and low privileges required.

Likely exposure

Exposure is most likely in environments using Cisco Nexus 3000 or 9000 switches in standalone NX-OS mode, especially where Enable Secret is enabled and lower-privileged device accounts exist. Devices not using that feature have lower apparent exposure based on the source bundle.

Exploitation context

The sources do not show known active exploitation, and CISA KEV status is false in the bundle. Exploitation requires valid credentials and local authenticated access to the affected device, so this is mainly an insider, stolen-credential, or post-compromise privilege escalation risk.

Researcher notes

The key conditions are authenticated local access, Cisco Nexus 3000 or 9000 hardware, standalone NX-OS mode, and Enable Secret usage. Public details in the bundle identify the logic error and impact but do not provide release-level fix details, so validate remediation directly against Cisco guidance.

Mitigation direction

  • Inventory Nexus 3000 and 9000 switches running standalone NX-OS mode.
  • Check whether the Enable Secret feature is enabled on those devices.
  • Review Cisco advisory guidance for affected releases, fixed software, and workarounds.
  • Restrict device login privileges to administrators with a clear operational need.
  • Monitor administrative logins and privilege changes on affected switches.

Validation and detection

  • Confirm device model, NX-OS mode, and software version against Cisco advisory guidance.
  • Review switch configuration for use of the Enable Secret feature.
  • Validate that non-admin accounts cannot obtain administrative privileges unexpectedly.
  • Check AAA and local account lists for unnecessary low-privileged device users.
  • Review logs for unexpected enable command use or privilege escalation events.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-285: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Credential and access behavior lookup

The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
description · low confidence lookup

Privilege behavior lookup

The CVE wording references privilege impact, so privilege escalation and authorization behavior review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2020-3394 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.8 (3.0)
Known Exploited
No
Published

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
2Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.8CVSS 3.0HighCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H1.85.9Primary CVE score

Vulnerability scoring details

Base CVSS 3.0 score

7.8High
CVSS 3.0 vector shape for CVE-2020-3394Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
CiscoCisco NX-OS Softwaren/aListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-285 · source CWE mapping

Improper Authorization

Improper Authorization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.