October 3, 2023

A PoC exploit code was released by a researcher for the high-severity vulnerability , tracked as CVE-2023-20178, impacting Cisco AnyConnect Secure Mobility Client and Secure Client for Windows.

This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the update process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges.

While performing software update, a temporary folder is created to store copies of files that are being modified. The operation is performed to allow a rollback operation if the case of failure of the installation process.


A threat actor can use an exploit to start an update process that creates a temporary folder, then it can trigger a rollback process. At this point, the attacker code can store malicious files in the temporary folder to achieve their execution.

Researcher Filip Dragovic was credited for reporting the CVE-2023-20178, and released a PoC that triggers an arbitrary file delete with System privileges. The PoC has successfully worked on Secure Client version 5.0.01242 and AnyConnect Secure Mobility Client version 4.10.06079.

When a user connects to vpn, vpndownloader.exe process is started in background, and it will create directory in c:\windows\temp with default permissions in following format: <random numbers>.tmp After creating this directory vpndownloader.exe will check if that directory is empty and if it’s not it will delete all files/directories in there. This behaviour can be abused to perform arbitrary file delete as NT Authority\SYSTEM account.

The Cisco PSIRT confirmed that they are not aware of any attacks in the wild exploiting this vulnerability.

Leave a Reply

%d bloggers like this: