Federal agency urges removal of OS command injection weaknesses

Federal agency urges removal of OS command injection weaknesses

In the ever-evolving landscape of cybersecurity, one threat continues to loom large - OS command injection vulnerabilities. According to the latest update as of mid-2025, these vulnerabilities remain a significant security risk, with several high-profile exploits targeting critical network infrastructure in 2024 [1].

Notable instances include the Palo Alto PAN-OS (CVE-2024-3400), Ivanti Connect Secure (CVE-2024-21887), and Cisco NX-OS (CVE-2024-20399) [1]. These vulnerabilities have been actively exploited and are closely monitored by cybersecurity agencies.

In response, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint Secure by Design Alert in July 2024, emphasising that these command injection flaws are preventable by securely separating user input from command execution contexts [1]. However, they persist due to poor coding practices.

Subsequently, in July 2025, CISA and the FBI released an updated guidance on product security bad practices as part of the Secure by Design initiative. This update includes community feedback and expands recommendations on patching timelines, the importance of memory-safe programming languages, and further bad practices to avoid [2].

CISA continues to add critical OS command injection vulnerabilities to its Known Exploited Vulnerabilities Catalog to help organisations prioritise patching and detection efforts [2]. The initiative urges network defenders to upgrade vulnerable products like Ivanti CSA and to use provided indicators of compromise (IOCs) to hunt malicious activity [2].

Recent threat investigations and threat hunts illustrate ongoing exploitation patterns linked to injected commands and poor credential management [3][4][5]. These findings underscore the broader threat ecosystem into which OS command injection vulnerabilities fit.

In summary, OS command injection vulnerabilities remain a top exploited vulnerability with known high-impact cases in 2024-2025 [1][2]. CISA and the FBI emphasise secure coding by separating user input from commands to prevent injection [1]. The Secure by Design initiative guides product security improvements, patching practices, and use of memory-safe languages to reduce injection and related vulnerabilities [2]. CISA maintains and updates a catalog of exploited vulnerabilities, encouraging timely patching and active network defense [2].

This reflects a consistent and evolving approach by CISA and the FBI combining vulnerability management, secure design principles, and operational threat intelligence to mitigate OS command injection risks as of 2025.

OS command injection vulnerabilities arise when manufacturers fail to properly validate and sanitize user input when constructing commands to execute on the underlying operating system. CISA has been urging the software industry to use memory-safe programming languages and eliminate classes of vulnerabilities for years. However, unsafe software development practices persist despite CISA's efforts.

CISA's efforts to change software development practices are hindered by its non-regulatory status. The agency has encouraged 162 software manufacturers to sign the secure-by-design pledge since May. Designing and developing software that trusts user input without proper validation or sanitization can allow threat actors to execute malicious commands, putting customers at risk.

Internal development practices that undercut security are common in the technology industry, and CISA is trying to end this practice through its secure-by-design initiative. The advisory was issued as part of CISA's secure-by-design alert series.

Threat groups have exploited several OS command injection vulnerabilities in widely used network devices this year, including CVE-2024-20399 in Cisco products, CVE-2024-21887 in Ivanti remote access VPNs, and CVE-2024-3400 in Palo Alto Networks firewalls.

Corporate stakeholders want to better understand the risk calculus of their technology stacks, addressing the question: Are we a target? The Cybersecurity and Infrastructure Security Agency (CISA) and FBI have advised software vendors to eliminate operating system command injection vulnerabilities from their products before shipping.

CISA was directly impacted by an exploited OS command injection vulnerability in Ivanti remote access VPNs. Federal authorities are highlighting the unresolved impact of OS command injection vulnerabilities to emphasise the importance of proper software controls.

CISA consistently shares its vision for how manufacturers should incorporate security into their products and practices. In April 2023, CISA unveiled secure-by-design principles. However, CISA found no evidence of data theft or lateral movement after investigating the Ivanti VPN intrusion, but warned it can't rule out data was stolen from the Chemical Security Assessment Tool.

1. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) emphasize the need for secure coding practices in data-and-cloud-computing technology to prevent OS command injection vulnerabilities, such as the ones found in Palo Alto PAN-OS, Ivanti Connect Secure, and Cisco NX-OS.
2. Despite CISA's efforts to promote secure by design principles and memory-safe programming languages, OS command injection vulnerabilities continue to be a significant threat in the cybersecurity landscape, as highlighted by the exploitation of CVE-2024-20399 in Cisco products, CVE-2024-21887 in Ivanti remote access VPNs, and CVE-2024-3400 in Palo Alto Networks firewalls.
3. To combat this ongoing threat, CISA continues to update its Known Exploited Vulnerabilities Catalog, urging network defenders to upgrade vulnerable products like Ivanti CSA and use provided indicators of compromise (IOCs) to hunt malicious activity, as part of its Secure by Design initiative.

Read also: