CVE-2020-3433: 
Cisco AnyConnect Secure Client vulnerability analysis and mitigation

A vulnerability (CVE-2020-3433) was discovered in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows. The vulnerability was disclosed on August 5, 2020, affecting versions prior to 4.9.00086. This DLL hijacking vulnerability received a CVSS score of 7.8, indicating a high severity level (Cisco Advisory, NVD).

The vulnerability exists in the installer component of Cisco AnyConnect Secure Mobility Client for Windows. The flaw allows local attackers to execute code on the affected machine with system level privileges through DLL hijacking. The attack vector involves sending a specially crafted IPC request to TCP port 62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure Mobility Agent service. This service then launches the vulnerable installer component (vpndownloader) with a supplied DLL, which executes with system privileges (Rapid7).

If successfully exploited, this vulnerability allows authenticated local attackers to execute arbitrary code with SYSTEM level privileges on the affected Windows system. This represents a significant elevation of privilege that could lead to complete system compromise (Hacker News).

Cisco has released patches to address this vulnerability and strongly recommends that customers upgrade to a fixed software release (version 4.9.00086 or later). No workarounds are available for this vulnerability (Cisco Advisory).

The vulnerability has gained significant attention in the cybersecurity community, particularly after being added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Additionally, security researchers have identified this vulnerability being actively exploited by ransomware groups, including the Russian-speaking group OldGremlin (Hacker News).