Unrated severityNVD Advisory· Published Jun 28, 2023· Updated Aug 2, 2024

CVE-2023-20178

Description

A vulnerability in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. The client update process is executed after a successful VPN connection is established. This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the update process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges.

Affected products

Cisco Systems, Inc./Cisco Secure Clientcpe-rescue
Range: 4.9.00086

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kwmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.022
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000