CVE-2012-2493 — Improper Input Validation in Cisco Anyconnect Secure Mobility Client

CWE-20 — Improper Input Validation CWE-3994 documents4 sources

Severity

9.3CRITICALNVD

EPSS

1.3%

top 20.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Anyconnect Secure Mobility Client

Timeline

PublishedJun 20

Latest updateMay 17

Description

The VPN downloader implementation in the WebLaunch feature in Cisco AnyConnect Secure Mobility Client 2.x before 2.5 MR6 on Windows, and 2.x before 2.5 MR6 and 3.x before 3.0 MR8 on Mac OS X and Linux, does not properly validate binaries that are received by the downloader process, which allows remote attackers to execute arbitrary code via vectors involving (1) ActiveX or (2) Java components, aka Bug ID CSCtw47523.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages1 packages

▶NVDcisco/anyconnect_secure_mobility_client16 versions+15

🔴Vulnerability Details

GHSA

GHSA-vf8f-23mh-9x3q: The VPN downloader implementation in the WebLaunch feature in Cisco AnyConnect Secure Mobility Client 2↗2022-05-17

▶

CVEList

CVE-2012-2493: The VPN downloader implementation in the WebLaunch feature in Cisco AnyConnect Secure Mobility Client 2↗2012-06-20

▶

📋Vendor Advisories

Cisco

Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client↗2012-06-20

▶