CVE-2017-3813

HIGH

Cisco AnyConnect - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-3813. PoCs published by Pcchillin.

AI-analyzed exploit summary This exploit describes a manual local privilege escalation (LPE) technique in Cisco AnyConnect Start Before Logon (SBL) by leveraging a UI interaction flaw to launch a command prompt with elevated privileges. It involves specific key combinations and navigation steps to bypass intended restrictions.

Description

A vulnerability in the Start Before Logon (SBL) module of Cisco AnyConnect Secure Mobility Client Software for Windows could allow an unauthenticated, local attacker to open Internet Explorer with the privileges of the SYSTEM user. The vulnerability is due to insufficient implementation of the access controls. An attacker could exploit this vulnerability by opening the Internet Explorer browser. An exploit could allow the attacker to use Internet Explorer with the privileges of the SYSTEM user. This may allow the attacker to execute privileged commands on the targeted system. This vulnerability affects versions prior to released versions 4.4.00243 and later and 4.3.05017 and later. Cisco Bug IDs: CSCvc43976.

Exploits (1)

exploitdb WRITEUP

by Pcchillin · textlocalwindows

https://www.exploit-db.com/exploits/41476

View Code ZIP pw:eip

This exploit describes a manual local privilege escalation (LPE) technique in Cisco AnyConnect Start Before Logon (SBL) by leveraging a UI interaction flaw to launch a command prompt with elevated privileges. It involves specific key combinations and navigation steps to bypass intended restrictions.

Classification

Writeup 90%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: Cisco AnyConnect Secure Mobility Client 4.3.04027 and earlier

Auth required

Prerequisites: Physical or console access to the target system · Cisco AnyConnect installed with SBL enabled

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory x_refsource_confirm

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170208-anyconnect

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/41476/

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1037796

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/96145

Scores

CVSS v3 7.8

EPSS 0.0171

EPSS Percentile 74.4%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-264 CWE-862

Status published

Products (26)

cisco/anyconnect_secure_mobility_client 4.0.00048

cisco/anyconnect_secure_mobility_client 4.0.00051

cisco/anyconnect_secure_mobility_client 4.0.00052

cisco/anyconnect_secure_mobility_client 4.0.00057

cisco/anyconnect_secure_mobility_client 4.0.00061

cisco/anyconnect_secure_mobility_client 4.1.00028

cisco/anyconnect_secure_mobility_client 4.1.02011

cisco/anyconnect_secure_mobility_client 4.1.04011

cisco/anyconnect_secure_mobility_client 4.1.06013

cisco/anyconnect_secure_mobility_client 4.1.06020

... and 16 more

Published Feb 09, 2017

Tracked Since Feb 18, 2026