Security News > 2022 > October > Cisco AnyConnect Windows client under active attack
Cisco says miscreants are exploiting two vulnerabilities in its AnyConnect Secure Mobility Client for Windows, which is supposed to ensure safe VPN access for remote workers.
One of the pair of flaws, tracked as CVE-2020-3433, is a privilege-escalation issue: an authenticated, local user can exploit AnyConnect to execute code with SYSTEM-level privileges.
Cisco first alerted customers about this bug in August 2020, and previously warned that proof-of-concept exploit code was publicly available.
"In October 2022, the Cisco Product Security Incident Response Team became aware of additional attempted exploitation of this vulnerability in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability."
The second Cisco vulnerability, tracked as CVE-2020-3153, is in the installer component of the AnyConnect Secure Mobility Client for Windows, and it also requires a logged-in user or malware on a system to exploit.
A day before the vendor released its own security update, the US Cybersecurity and Infrastructure Agency added both of the Cisco AnyConnect Secure Mobility Client for Windows bugs to its Known Exploited Vulnerabilities Catalog.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/10/26/cisco_vpn_bugs_exploited/
Related news
- CISA tags Windows, Cisco vulnerabilities as actively exploited (source)
- Critical Cisco Smart Licensing Utility flaws now exploited in attacks (source)
- Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility (source)
- EncryptHub linked to MMC zero-day attacks on Windows systems (source)
- Cisco warns of CSLU backdoor admin account used in attacks (source)
- Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054) (source)
- Windows NTLM hash leak flaw exploited in phishing attacks on governments (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-08-17 | CVE-2020-3433 | Uncontrolled Search Path Element vulnerability in Cisco Anyconnect Secure Mobility Client A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack. | 7.8 |
| 2020-02-19 | CVE-2020-3153 | Uncontrolled Search Path Element vulnerability in Cisco Anyconnect Secure Mobility Client 4.8.00175/4.8.01090 A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. | 6.5 |