CVE-2015-6305

Cisco AnyConnect Secure Mobility Client 2.0-4.1 - Untrusted Search Path via vpndownloader.exe

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-6305. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit leverages an insufficient fix for CVE-2015-4211 in Cisco AnyConnect, allowing local privilege escalation via DLL planting (dbghelp.dll) when the vpndownloader.exe is copied to a writable directory and executed by the service.

Description

Untrusted search path vulnerability in the CMainThread::launchDownloader function in vpndownloader.exe in Cisco AnyConnect Secure Mobility Client 2.0 through 4.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by dbghelp.dll, aka Bug ID CSCuv01279. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-4211.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · textlocalwindows

https://www.exploit-db.com/exploits/38289

View Code ZIP pw:eip

This exploit leverages an insufficient fix for CVE-2015-4211 in Cisco AnyConnect, allowing local privilege escalation via DLL planting (dbghelp.dll) when the vpndownloader.exe is copied to a writable directory and executed by the service.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Cisco AnyConnect Secure Mobility Client v3.1.08009

Auth required

Prerequisites: Local access to the system · Ability to write to a local directory · Cisco AnyConnect v3.1.08009 installed

MITRE ATT&CK

T1548.002 - Bypass User Account Control T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1033643

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/38289/

Third Party Advisory, VDB Entry mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2015/Sep/80

Vendor Advisory vendor-advisory x_refsource_cisco

http://tools.cisco.com/security/center/viewAlert.x?alertId=41136

Exploit, Vendor Advisory x_refsource_misc

https://code.google.com/p/google-security-research/issues/detail?id=460

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/133876/Cisco-AnyConnect-Secure-Mobility-Client-3.1.08009-Privilege-Elevation.html

Scores

EPSS 0.0120

EPSS Percentile 64.2%

Details

CWE

CWE-426

Status published

Products (50)

cisco/anyconnect_secure_mobility_client 2.0.0343

cisco/anyconnect_secure_mobility_client 2.1.0.148

cisco/anyconnect_secure_mobility_client 2.2.0133

cisco/anyconnect_secure_mobility_client 2.2.0136

cisco/anyconnect_secure_mobility_client 2.2.0140

cisco/anyconnect_secure_mobility_client 2.3.0185

cisco/anyconnect_secure_mobility_client 2.3.0254

cisco/anyconnect_secure_mobility_client 2.3.1003

cisco/anyconnect_secure_mobility_client 2.3.2016

cisco/anyconnect_secure_mobility_client 2.4.0202

... and 40 more

Published Sep 26, 2015

Tracked Since Feb 18, 2026