Cisco has warned customers that two security vulnerabilities in the Cisco AnyConnect Secure Mobility Client for Windows are being exploited in the wild. The AnyConnect Secure Mobility Client simplifies secure enterprise endpoint access and enables employees to work from anywhere while connected to a secure Virtual Private Network (VPN) through Secure Sockets Layer (SSL) and IPsec IKEv2. The two security flaws (tracked as CVE-2020-3433 and CVE-2020-3153) enable local attackers to perform DLL hijacking attacks and copy files to system directories with system-level privileges. Following successful exploitation, the attackers could execute arbitrary code on the targeted Windows devices with SYSTEM privileges. Luckily, both vulnerabilities require authentication, with the attackers being required to have valid credentials on the system. However, they could be chained with Windows privilege escalation flaws, especially since proof-of-concept exploits are already available online for both CVEs.
Cisco updated the security advisories for patches released in 2020 to ask admins to update the vulnerable software and block ongoing attacks. “In October 2022, the Cisco PSIRT became aware of additional attempted exploitation of this vulnerability in the wild,” the company warned. “Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability.” This warning confirms an announcement from Cybersecurity and Infrastructure Security Agency (CISA) on Monday that both security flaws have been added to its Known Exploited Vulnerabilities catalog. Once added to CISA’s list of bugs exploited in attacks, all Federal Civilian Executive Branch Agencies (FCEB) agencies are required by a binding operational directive (BOD 22-01) from November 2021 to apply patches or mitigation measures. The federal agencies were given three weeks, until November 11th, to ensure that any ongoing exploitation attempts would be blocked. As CISA added yesterday, “these types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.”