CISA adds Cisco AnyConnect vulnerabilities to the Known Exploited Vulnerabilities Catalog

Home / Threat Intelligence bulletins / CISA adds Cisco AnyConnect vulnerabilities to the Known Exploited Vulnerabilities Catalog

Target Industry

Indiscriminate, opportunistic targeting.

Overview

CVE-2020-3433 Severity level: High – Successful exploitation of this vulnerability would allow a threat actor to escalate to system-level privileges through a DLL hijacking attack.

CVE-2020-3153 Severity level: Medium – Successful exploitation of this vulnerability could allow a threat actor to copy user-supplied files to sensitive system directories with system-level privileges.

While CVE-2020-3433 and CVE-2020-3153 are older vulerabilities, these have been added to the CISA Known Exploited Vulnerabilities Catalog as they have been seen being exploited by threat actors in recent attacks.

Impact

To exploit these vulnerabilities a threat actor requires valid user credentials to a vulnerable system. Successful exploitation of these vulnerabilities could allow a threat actor to fully compromise a system or load further code to maintain access into sensitive system directories.

Vulnerability Detection

CVE-2020-3433: Cisco AnyConnect Secure Mobility Client for Windows releases earlier than Release 4.9.00086. CVE-2020-3153: Cisco AnyConnect Secure Mobility Client for Windows releases earlier than 4.8.02042.

Affected Products

CVE-2020-3433: Cisco AnyConnect Secure Mobility Client for Windows releases earlier than Release 4.9.00086. CVE-2020-3153: Cisco AnyConnect Secure Mobility Client for Windows releases earlier than 4.8.02042.

Containment, Mitigations & Remediations

Application of all available software patches for Cisco AnyConnect Secure Mobility Client for Windows.

Indicators of Compromise

No current IOCs have been released by Cisco for either of these vulnerabilities.

Threat Landscape

No further information has been released as to the threat actors utilising these vulnerabilities, however, these all currently have publicly available exploit code. It is therefore likely that opportunistic threats such as these will almost certainly continue to be exploited by malicious threat actors as the vulnerabilities are discovered and shared across online forums.

Threat Group

No threat actor has been attributed to this exploitation.

Mitre Methodologies

T1574 – Hijack Execution Flow

T1078 – Valid Accounts

Further Information

Cisco Advisory for CVE-2020-3433

Cisco Advisory for CVE-2020-3153

CISA Known Exploited Vulnerabilities Catalog

Intelligence Terminology Yardstick