A vulnerability in Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to execute an arbitrary executable file with privileges equivalent to the Microsoft Windows operating system SYSTEM account.
The vulnerability is due to lack of checks in the code for the path to the downloader application and associated DLLs. An attacker could exploit this vulnerability by executing the downloader application from outside its expected location and providing a set of crafted DLLs. A successful exploit could allow the attacker to execute commands on the underlying Microsoft Windows host with privileges equivalent to the SYSTEM account.
Functional code that exploits this vulnerability is publicly available.
Cisco has confirmed the vulnerability and software updates are available.
To exploit this vulnerability an attacker must authenticate and have local access to the targeted system. These access requirements may reduce the likelihood of a successful exploit.
This issue was independently reported to the Cisco PSIRT by Google Project Zero and Mr. Yorick Koster of Securify B.V. We would like to thank Google Project Zero and Securify B.V. for reporting this vulnerability to Cisco and working with us towards a coordinated disclosure.