Security News > 2022 > October > Cisco AnyConnect Windows client under active attack
Cisco says miscreants are exploiting two vulnerabilities in its AnyConnect Secure Mobility Client for Windows, which is supposed to ensure safe VPN access for remote workers.
One of the pair of flaws, tracked as CVE-2020-3433, is a privilege-escalation issue: an authenticated, local user can exploit AnyConnect to execute code with SYSTEM-level privileges.
Cisco first alerted customers about this bug in August 2020, and previously warned that proof-of-concept exploit code was publicly available.
"In October 2022, the Cisco Product Security Incident Response Team became aware of additional attempted exploitation of this vulnerability in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability."
The second Cisco vulnerability, tracked as CVE-2020-3153, is in the installer component of the AnyConnect Secure Mobility Client for Windows, and it also requires a logged-in user or malware on a system to exploit.
A day before the vendor released its own security update, the US Cybersecurity and Infrastructure Agency added both of the Cisco AnyConnect Secure Mobility Client for Windows bugs to its Known Exploited Vulnerabilities Catalog.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/10/26/cisco_vpn_bugs_exploited/
Related news
- JPCERT shares Windows Event Log tips to detect ransomware attacks (source)
- Exploit released for new Windows Server "WinReg" NTLM Relay attack (source)
- Cisco Issues Urgent Fix for ASA and FTD Software Vulnerability Under Active Attack (source)
- Cisco fixes VPN DoS flaw discovered in password spray attacks (source)
- Emergency patch: Cisco fixes bug under exploit in brute-force attacks (source)
- New Cisco ASA and FTD features block VPN brute-force password attacks (source)
- Windows infected with backdoored Linux VMs in new phishing attacks (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-08-17 | CVE-2020-3433 | Uncontrolled Search Path Element vulnerability in Cisco Anyconnect Secure Mobility Client A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack. | 7.8 |
| 2020-02-19 | CVE-2020-3153 | Uncontrolled Search Path Element vulnerability in Cisco Anyconnect Secure Mobility Client 4.8.00175/4.8.01090 A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. | 4.9 |