Security News > 2021 > May > Cisco Patches Code Execution Flaw in VPN Product 6 Months After Disclosure
Cisco this week announced the availability of patches for a high-severity vulnerability in AnyConnect Secure Mobility Client that could be exploited for code execution.
Initially disclosed in November 2020, the flaw affects the interprocess communication channel of the secure VPN application and could be abused by a local attacker to cause an AnyConnect user to run a malicious script.
It affects Linux, Windows, and macOS releases of the AnyConnect Secure Mobility Client, prior to version 4.10.00093, Cisco explains.
An attacker can exploit the bug by sending a crafted IPC message to the AnyConnect client IPC listener, which could result in the execution of a script with the same privileges as the targeted AnyConnect user.
To successfully exploit the vulnerability, the attacker needs valid user credentials for multiple accounts on the machine on which the AnyConnect client is running and must log in to the system while an active AnyConnect session is either established or being established.
The reason for which the flaw has a severity assessment of high, Cisco says, is because it allows for access to another user's data and execution space.