Cisco Patches Code Execution Flaw in VPN Product 6 Months After Disclosure
Earlier this week, Cisco announced that it had released patches for a high-severity vulnerability that lies in its AnyConnect Secure Mobility Client that can be exploited for remote code execution. The flaw was initially disclosed in November of 2020, and it has taken roughly six months for the company to release a patch. The flaw affects the interprocess communication channel of the secure VPN application. The flaw could be used by an attacker to run a malicious script, however, exploitation of the bug requires authentication.
When the issue was disclosed, Cisco told its customers that a proof-of-concept exploit had already been made available. However, the exploit is difficult to find on the web and there is no proof that the flaw was actively exploited in the wild. The bug has a CVSS score of 7.3. Successfully exploiting the vulnerability would require the attacker to obtain valid credentials for multiple accounts on the machine in which the AnyConnect client is running. Despite the nature of the attack, Cisco has warned its customers to implement the patch as soon as possible to avoid any risk of exploitation.