Successful exploitation of this vulnerability allows a local attacker to gain SYSTEM privileges.
Cisco anyconnect profile location update#
One of these commands it to launch the vpndownloader application and update An圜onnect.Ī path traversal vulnerability exists in the vpndownloader application for Windows that allows a local user to create and run files outside of the temporary installer folder.
This service exposes TCP port 62522 on the loopback device to which clients can connect and send commands to be handled by this service. Auto-update also works for low-privileged users, this is possible because the update is initiated from a service running with SYSTEM privileges ( Cisco An圜onnect Secure Mobility Agent). IntroductionĬisco An圜onnect Secure Mobility Client contains functionality to auto-update itself.
Ĭisco has released bug ID CSCvs46327 for registered users, which contains additional details and an up-to-date list of affected product versions. Cisco customers with active contracts can obtain updates through the Software Center at. This vulnerability was fixed in Cisco An圜onnect Secure Mobility Client for Windows version 2. This issue was successfully verified on Cisco An圜onnect Secure Mobility Client for Windows version 0.