Cisco AnyConnect Secure Mobility Client for Windows is being heavily exploited in the wild...

Continue reading
Two vulnerabilities in the Cisco AnyConnect Secure Mobility Client for Windows have been publicly disclosed, and Cisco has issued a warning to its customers.
Using SSL and IPsec IKEv2, the AnyConnect Secure Mobility Client streamlines access to secure business endpoints and enables remote work over a private, encrypted VPN connection.
Both vulnerabilities identified as CVE-2020-3433 and CVE-2020-3153 allow local attackers to execute arbitrary code with full system privileges, including DLL hijacking attacks and file copying to arbitrary system directories.
In the event of successful exploitation, attackers might gain SYSTEM privileges and execute arbitrary code on the targeted Windows machines.
Fortunately, both flaws need authentication, so attackers would need to already possess valid credentials on the system to exploit them. But as proof-of-concept exploits are already accessible online for both CVEs, they might be chained with Windows privilege escalation vulnerabilities.
Cisco has updated its security warnings to urge administrators to repair the vulnerable software in order to prevent continued attacks. The patches were first released in 2020.
The Cisco PSIRT discovered more attempts to exploit this vulnerability in the wild in October 2022, the firm said.
Even now, _"Cisco continues to strongly suggest that clients upgrade to a corrected software release to remedy this vulnerability."_ It has been added to CISA's database of bugs that can be used in attacks.
Both vulnerabilities have been included to the Cybersecurity and Infrastructure Security Agency's (CISA) list of Known Exploited Vulnerabilities, as was announced on Monday.
From the month of November 2021 forward, all FCEB agencies will be compelled by a binding operational directive (BOD 22-01) to implement patches or mitigation measures for any vulnerabilities that are added to CISA's list of bugs used in attacks.
The government authorities were given a deadline of November 11th, or three weeks, to prevent any further exploitation.
According to the latest statement from CISA, _"these sorts of vulnerabilities are a frequent attack vector for malevolent cyber actors and represent substantial danger to the federal organization."_
Even Rule BOD 22-01 only applies to U.S. FCEB agencies, the U.S. cybersecurity agency has urgently advised all enterprises globally to prioritize addressing these security bugs.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.