CVE-2020-12828

CRITICAL

AnchorFree VPN SDK <1.3.3.218 - Code Injection

Title source: llm

Description

An issue was discovered in AnchorFree VPN SDK before 1.3.3.218. The VPN SDK service takes certain executable locations over a socket bound to localhost. Binding to the socket and providing a path where a malicious executable file resides leads to executing the malicious executable file with SYSTEM privileges.

Exploits (1)

nomisec WORKING POC 28 stars

by 0xsha · poc

https://github.com/0xsha/ZombieVPN

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://www.pango.co/sec31944/

Scores

CVSS v3 9.8

EPSS 0.1476

EPSS Percentile 94.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

pango/virtual_private_network_software_development_kit < 1.3.3.218

Published May 21, 2020

Tracked Since Feb 18, 2026