Security News > 2020 > November > Cisco discloses AnyConnect VPN zero-day, exploit code available
Cisco has disclosed today a zero-day vulnerability in the Cisco AnyConnect Secure Mobility Client software with proof-of-concept exploit code publicly available.
While security updates are not yet available for this arbitrary code execution vulnerability, Cisco is working on addressing the zero-day, with a fix coming in a future AnyConnect client release.
The Cisco AnyConnect Secure Mobility Client security flaw has not yet been exploited in the wild according to the Cisco Product Security Incident Response Team.
The high severity vulnerability tracked as CVE-2020-3556 exists in the interprocess communication channel of Cisco AnyConnect Client and it may allow authenticated and local attackers to execute malicious scripts via a targeted user.
Cisco today also fixed 11 other high severity and 23 medium severity security bugs in multiple products that could lead to denial of service or arbitrary code execution on vulnerable devices.
News URL
Related news
- New Mirai botnet targets industrial routers with zero-day exploits (source)
- Zero-day exploits plague Ivanti Connect Secure appliances for second year running (source)
- Zero-Day Vulnerability in Ivanti VPN (source)
- Nominet probes network intrusion linked to Ivanti zero-day exploit (source)
- Hackers Exploit Zero-Day in cnPilot Routers to Deploy AIRASHI DDoS Botnet (source)
- Hackers exploit 16 zero-days on first day of Pwn2Own Automotive 2025 (source)
- Cisco warns of denial of service flaw with PoC exploit code (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-06 | CVE-2020-3556 | Unspecified vulnerability in Cisco Anyconnect Secure Mobility Client 4.9(3052)/98.145(86) A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script. | 7.3 |