“To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the An圜onnect client is being run.”Īccording to Cisco, the vulnerability exists in the interprocess communication (IPC) channel. “In order to successfully exploit this vulnerability, there must be an ongoing An圜onnect session by the targeted user at the time of the attack,” according to Cisco. The flaw could allow an attacker to cause a targeted An圜onnect user to execute a malicious script – however, in order to launch an attack a cybercriminal would need to be authenticated and on the local network.
Cisco anyconnect secure mobility client software#
“Cisco plans to fix this vulnerability in a future release of Cisco An圜onnect Secure Mobility Client Software.”Īn圜onnect Secure Mobility Client, a modular endpoint software product, provides a wide range of security services (such as remote access, web security features, and roaming protection) for endpoints.
“Cisco has not released software updates that address this vulnerability,” according to Cisco’s Wednesday advisory. The flaw (CVE-2020-3556) is an arbitrary code execution vulnerability with a CVSS score of 7.3 out of 10, making it high severity.
While Cisco said it is not aware of any exploits in the wild for the vulnerability, it said Proof-of-Concept (PoC) exploit code has been released, opening up risks of cybercriminals potentially leveraging the flaw.
Cisco anyconnect secure mobility client Patch#
Cisco has disclosed a zero-day vulnerability – for which there is not yet a patch – in the Windows, macOS and Linux versions of its An圜onnect Secure Mobility Client Software.
0 kommentar(er)
