Get in Touch
Indiscriminate, opportunistic targeting.
Cisco has remediated a vulnerability, tracked as CVE-2023-20178, discovered in their Secure Client software. This software allows users to operate remotely via a Virtual Private Network (VPN) and provides administrators with additional endpoint management and telemetry features. At the time of writing, the flaw has not been reported to have been actively exploited.
Update: 21st June 2023
A Proof of Concept (PoC) code has been released for the high-severity Cisco Secure Client Software vulnerability, tracked as CVE-2023-20178.
The PoC can allow threat actors to elevate privileges to SYSTEM.
Successful exploitation of CVE-2023-20178 could allow threat actors to elevate privileges to the SYSTEM account used by the operating system.
Cisco has released security updates with regards to the vulnerability. As such, previous versions are vulnerable to potential exploit.
Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows.
Additionally, Cisco has confirmed that the following product versions are not vulnerable to CVE-2023-20178:
- Cisco AnyConnect Secure Mobility Client for Linux
- Cisco AnyConnect Secure Mobility Client for MacOS
- Cisco Secure Client-AnyConnect for Android
- Cisco Secure Client AnyConnect VPN for iOS
- Cisco Secure Client for Linux
- Cisco Secure Client for MacOS
Containment, Mitigations & Remediations
No workarounds are currently available for CVE-2023-20178 and, as such, it is strongly recommended that users apply the relevant product updates as soon as possible. The flaw was remediated in AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available currently.
Cisco occupies a significant proportion of the enterprise network infrastructure market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Cisco products have become a prime target. Due to the fact that Cisco products have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive data contained therein.
Vulnerabilities with active exploitation have previously emerged with regards to AnyConnect, namely: CVE-2020-3433 and CVE-2020-3153. It has been well documented that such vulnerabilities are a frequent attack vector for threat actors, and it is therefore highly probable that these vulnerabilities will continue to be exploited as they become known.
No attribution to specific threat actors or groups has been identified at the time of writing.
TA0004 – Privilege Escalation