Cyber Resilience

CVE-2023-20178

High

Published: 28 June 2023

Published
28 June 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2774 96.6th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-20178 is a high-severity Incorrect Default Permissions (CWE-276) vulnerability in Cisco Anyconnect Secure Mobility Client. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 3.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2023-20178 is an improper access control issue (CWE-276) in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows. It arises because incorrect permissions are set on a temporary directory created during updates, which run after a VPN connection succeeds, and carries a CVSS 3.1 score of 7.8.

A low-privileged authenticated local attacker can exploit the flaw by invoking a specific Windows installer function after VPN establishment, resulting in arbitrary code execution with SYSTEM privileges.

The Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw addresses the issue and its remediation. The EPSS score has remained flat at a peak of 0.2774 with no material rise observed.

EU & UK References

Vulnerability details

A vulnerability in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. The client update…

more

process is executed after a successful VPN connection is established. This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the update process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
anyconnect secure mobility client
≤ 4.10.07061
cisco
secure client
≤ 5.0.02075

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-276

Access control policy can specify and enforce secure default permissions for resources.

addresses: CWE-276

Guides setting of default permissions to the minimum required level.

addresses: CWE-276

Establishes requirements for appropriate default permissions on system resources as part of configuration management.

addresses: CWE-276

Baseline establishment and updates on install/upgrade ensure correct default permissions rather than insecure ones.

addresses: CWE-276

Requiring the most restrictive settings instead of defaults prevents incorrect default permissions on resources.

addresses: CWE-276

Requires documented processes that include setting and maintaining correct default permissions for configuration items.

addresses: CWE-276

Requires addressing secure default permissions in physical and environmental protection controls.

addresses: CWE-276

Tailoring explicitly overrides or scopes default permission assignments in the baseline to match the system's actual risk and operational needs.

References