AnyConnect Windows client under active attack Cisco warns

Cisco has issued a fresh warning on two vulnerabilities in its AnyConnect Secure Mobility Client for Windows that attackers are exploiting even though patches were released two years ago.

The first vulnerability is dubbed CVE-2020-3433 and has been labelled a high-risk vulnerability with a 7.8 of 10 CVSS severity score. The vulnerability is a privilege escalation bug that allows authenticated users in a network to execute code with system-level privileges. Hackers are exploiting the bug by using malware or a malicious insider to gain full control over the systems connected to AnyConnect.

This vulnerability was first discovered and fixed by Cisco in August 2020. Cisco is now advising customers to upgrade to patched versions of the software to avoid exploitation of this vulnerability which proof-of-concept exploit code is available online.

“In October 2022, the Cisco Product Security Incident Response Team became aware of additional attempted exploitation of this vulnerability in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability,” Cisco wrote in their fresh warning.

The other vulnerability being exploited is dubbed CVE-2020-3153 and although it has been labelled a medium-risk vulnerability it’s already on Cisco and CISA’s watchlist and should, therefore, be given high-priority patching.

This second bug is in the installer component of AnyConnect where due to the incorrect handling of directory paths, an authenticated user could sneak their own code into a system directory and run with high privileges allowing them to gain remote control over the system.

To make sure the two vulnerabilities are patched, make sure you are running version 4.9.00086 or newer of the Windows client.