Cyber Resilience

CVE-2020-3433

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 17 August 2020

Published
17 August 2020
Modified
28 October 2025
KEV Added
24 October 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0392 88.6th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-3433 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Cisco Anyconnect Secure Mobility Client. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 11.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

A vulnerability in the interprocess communication channel of Cisco AnyConnect Secure Mobility Client for Windows allows an authenticated local attacker to perform a DLL hijacking attack. The issue stems from insufficient validation of resources loaded by the application at runtime and is tracked under CWE-427. Exploitation occurs when a crafted IPC message is sent to the AnyConnect process, resulting in arbitrary code execution with SYSTEM privileges on the affected Windows system.

An attacker must possess valid local credentials on the Windows host to trigger the flaw. Successful exploitation grants the ability to run arbitrary code at the highest privilege level without further user interaction, affecting confidentiality, integrity, and availability.

The Cisco Security Advisory cisco-sa-anyconnect-dll-F26WwJW provides official guidance on the issue, and the vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, confirming observed in-the-wild activity. Public exploit code has also been shared via Packet Storm.

EU & UK References

Vulnerability details

A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack. To exploit this vulnerability, the attacker would need to have valid credentials…

more

on the Windows system. The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.

CWE(s)
KEV Date Added
24 October 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
anyconnect secure mobility client
≤ 4.9.00086

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly counters the root cause of insufficient validation of IPC messages and runtime-loaded resources that enables the DLL hijacking.

prevent

Requires integrity verification of software components and loaded resources, blocking crafted or unauthorized DLLs from executing with SYSTEM privileges.

prevent

Limits the privileges of the AnyConnect process and local users so that successful exploitation cannot immediately yield SYSTEM-level code execution.

References