CVE-2002-1492

Cisco VPN 5000 Client <5.2.7/5.2.8 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2002-1492. PoCs published by zillion, BrainStorm.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in Cisco VPN 5000 UNIX clients (Linux/Solaris) via the setuid root binaries 'close_tunnel' and 'open_tunnel'. It leverages a stack-based overflow to execute shellcode, granting root privileges.

Description

Buffer overflows in the Cisco VPN 5000 Client before 5.2.7 for Linux, and VPN 5000 Client before 5.2.8 for Solaris, allow local users to gain root privileges via (1) close_tunnel and (2) open_tunnel.

Exploits (2)

exploitdb WORKING POC VERIFIED
by zillion · clocalunix
https://www.exploit-db.com/exploits/21806

This exploit targets a buffer overflow vulnerability in Cisco VPN 5000 UNIX clients (Linux/Solaris) via the setuid root binaries 'close_tunnel' and 'open_tunnel'. It leverages a stack-based overflow to execute shellcode, granting root privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Cisco VPN 5000 UNIX client version 5.1.5
No auth needed
Prerequisites: Local access to the vulnerable system · Presence of vulnerable setuid binaries
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by BrainStorm · clocalunix
https://www.exploit-db.com/exploits/21805

This exploit leverages a command-line buffer overflow in the setuid root binary 'close_tunnel' of Cisco VPN 5000 UNIX clients (Linux/Solaris). It overflows the buffer via the '-d' option to overwrite the return address and execute arbitrary shellcode, granting root privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Cisco VPN 5000 Client (5.1.5 and likely others)
No auth needed
Prerequisites: Local access to the target system · Presence of vulnerable Cisco VPN 5000 Client installation
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Patch, Vendor Advisory vdb-entry x_refsource_xf
http://www.iss.net/security_center/static/10131.php
Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/5734
Patch, Vendor Advisory vendor-advisory x_refsource_cisco
http://www.cisco.com/warp/public/707/vpn5k-client-multiple-vuln-pub.shtml

Scores

EPSS 0.0172
EPSS Percentile 74.5%

Details

Status published
Products (2)
cisco/vpn_5000_client 5.2.6
cisco/vpn_5000_client 5.2.7
Published Apr 02, 2003
Tracked Since Feb 18, 2026