A ready-made, low-complexity path to pwning the popular enterprise VPN clients for remote workers is now circulating in the wild.

Dark Reading Staff, Dark Reading

June 22, 2023

2 Min Read
Cisco logo on a mobile phone
Source: Pior Swat via Alamy Stock Photo

A security researcher has dropped a proof-of-concept (POC) exploit for a just-patched, high-severity security vulnerability in Cisco's client software for remote workers looking to connect to VPNs.

The bug (CVE-2023-20178) is an arbitrary file delete vulnerability in the Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows, which could allow authenticated attackers to escalate privileges to SYSTEM level with no user interaction.

As Cisco explained in its patch advisory earlier this month: "A vulnerability in the client update process of could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. The client update process is executed after a successful VPN connection is established."

Security researcher Filip Dragović released an exploit that does just that via a public GitHub posting this week. It uses a process called "vpndownloader.exe," which is started in background when a user connects to a VPN using either the Cisco Secure or AnyConnect software.

"It will create directory in c:\windows\temp with default permissions," explained Dragović, who originally discovered the flaw and reported it to Cisco. "After creating this directory, vpndownloader.exe will check if that directory is empty, and if it's not, it will delete all files/directories in there. This behavior can be abused to perform arbitrary file delete as NT Authority\SYSTEM account."

After that, cyberattackers can employ a known tactic to create a SYSTEM shell for abusing Windows Installer behavior and elevating privileges, he added.

Organizations should patch their clients immediately — while Cisco noted no known exploitation at the time of patching, that will likely quickly change with a PoC circulating in the wild. Successful exploitation is "noncomplex," according to the researcher, and the software has a history of being targeted by cyberattackers looking to take over data-rich VPN sessions.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights