Cisco Warns AnyConnect VPNs Under Active Cyberattack

A pair of known security vulnerabilities in the Cisco AnyConnect Secure Mobility Client for Windows is being actively exploited in the wild, despite being patched for two-plus years.

The networking giant is warning that cybercrime groups are pressing two local privilege escalation (LPE) bugs into service, with active exploit chains against the VPN platform being observed starting this month.

The first flaw (CVE-2020-3153, with a CVSS score of 6.5) would allow a logged-in user to send a specially crafted IPC message to the AnyConnect process to perform DLL hijacking and execute arbitrary code on the affected machine with SYSTEM privileges. The second issue (CVE-2020-3433, with a CVSS score of 7.8) could allow a logged-in user to copy arbitrary files to system-level directories with SYSTEM privileges.

"In October 2022, the Cisco Product Security Incident Response Team became aware of additional attempted exploitation of this vulnerability in the wild," Cisco noted in the updated advisories.

The situation showcases the danger that older vulnerabilities continue to pose to companies and individuals. LPE patches are often de-prioritized in the glut of updates that businesses are faced with every month, but exploit chains often combine a remote code execution (RCE) bug for initial access with an LPE exploit for burrowing deeper into corporate networks and uncovering sensitive information.

The US Cybersecurity and Infrastructure Security Agency (CISA) also this week added the bugs to its Known Exploited Vulnerabilities (KEV) catalog, along with four even older bugs in Cisco's Gigabyte gaming and graphics drivers (CVE-2018-19320, CVE-2018-19321, CVE-2018-19322, CVE-2018-19323). Sophos flagged exploitation of the latter earlier in the month by the BlackByte ransomware gang.