← back
CVE-2020-3153

Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability

CVSS 6.5 MEDIUMEPSS 28.3%● KEVCWE-427
In short

A flaw in Cisco AnyConnect's installer for Windows allows an authenticated attacker to place malicious files into system directories with elevated privileges. This could enable DLL hijacking attacks that compromise system security.

Technical detail

An uncontrolled search path vulnerability in the AnyConnect Windows installer component permits authenticated local attackers to write arbitrary files to system-level directories with SYSTEM privileges through improper directory path handling. This enables DLL pre-loading and hijacking attacks; exploitation requires valid local credentials on the target system.

Summary generated and translated by AI from the official description.
A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks. To exploit this vulnerability, the attacker needs valid credentials on the Windows system.
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Affected products
Cisco · Cisco AnyConnect Secure Mobility Client
public PoCs found6
githubgithub.com/goichot/CVE-2020-3153105githubgithub.com/shubham0d/CVE-2020-31535githubgithub.com/raspberry-pie/CVE-2020-31530cve_referencepacketstormsecurity.com/files/157340/Cisco-AnyConnect-Secure-Mobility-Client-4.8.01090-Privilege-Escalation.htmlunverifiedcve_referencepacketstormsecurity.com/files/158219/Cisco-AnyConnect-Path-Traversal-Privilege-Escalation.htmlunverifiedcve_referencepacketstormsecurity.com/files/159420/Cisco-AnyConnect-Privilege-Escalation.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/157340/Cisco-AnyConnect-Secure-Mobility-Client-4.8.01090-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/158219/Cisco-AnyConnect-Path-Traversal-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/159420/Cisco-AnyConnect-Privilege-Escalation.htmlhttp://seclists.org/fulldisclosure/2020/Apr/43https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsjhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3153