CVE-2020-3153

MEDIUM KEV RANSOMWARE

Cisco AnyConnect < - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-3153 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 24, 2022, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including goichot, shubham0d, raspberry-pie, including a Metasploit module exploits/windows/local/anyconnect_lpe.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2020-3153, a vulnerability in Cisco ASA and FTD software. The exploit is written in C# and appears to target a remote code execution (RCE) flaw, likely leveraging a deserialization vulnerability.

Description

A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks. To exploit this vulnerability, the attacker needs valid credentials on the Windows system.

Exploits (4)

nomisec WORKING POC 106 stars
by goichot · poc
https://github.com/goichot/CVE-2020-3153

This repository contains a functional exploit for CVE-2020-3153, a vulnerability in Cisco ASA and FTD software. The exploit is written in C# and appears to target a remote code execution (RCE) flaw, likely leveraging a deserialization vulnerability.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco ASA and FTD software
No auth needed
Prerequisites: Network access to the vulnerable Cisco ASA/FTD device
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 5 stars
by shubham0d · local
https://github.com/shubham0d/CVE-2020-3153

This repository contains a functional exploit for CVE-2020-3153, a path traversal vulnerability in Cisco AnyConnect Secure Mobility Client. The exploit leverages a crafted command to achieve local privilege escalation by manipulating file paths and executing arbitrary code with SYSTEM privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Cisco AnyConnect Secure Mobility Client
No auth needed
Prerequisites: Cisco AnyConnect Secure Mobility Client installed · Access to the target system · actoast.dll placed in a specific directory
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by raspberry-pie · local
https://github.com/raspberry-pie/CVE-2020-3153

This repository contains a functional proof-of-concept exploit for CVE-2020-3153, a path traversal vulnerability in Cisco AnyConnect Secure Mobility Client. The exploit leverages a crafted command to achieve local privilege escalation by executing a user-controlled binary as SYSTEM via the vpnagent.exe service.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Cisco AnyConnect Secure Mobility Client versions 4.5.x, 4.6.x, 4.7.04x, and 4.8.x
No auth needed
Prerequisites: Cisco AnyConnect installed on Windows 7/10 · Access to place files in C:\anyconnect\ · cstub.exe and dbghelp.dll prepared as described
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Yorick Koster, Antoine Goichot (ATGO), Christophe De La Fuente · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/anyconnect_lpe.rb

This Metasploit module exploits CVE-2020-3153 and CVE-2020-3433 in Cisco AnyConnect Secure Mobility Client for Windows, leveraging path traversal and DLL hijacking to achieve local privilege escalation via crafted IPC requests to the AnyConnect service.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Cisco AnyConnect Secure Mobility Client for Windows (versions prior to 4.8.02042 and 4.9.00086)
No auth needed
Prerequisites: Local access to the target system · Cisco AnyConnect Secure Mobility Client installed with vulnerable version · TCP port 62522 accessible on loopback
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/Apr/43
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/159420/Cisco-AnyConnect-Privilege-Escalation.html

Scores

CVSS v3 6.5
EPSS 0.2831
EPSS Percentile 97.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact partial

Details

CISA KEV 2022-10-24
VulnCheck KEV 2022-10-20
InTheWild.io 2022-10-24
ENISA EUVD EUVD-2020-24424
Ransomware Use Confirmed
CWE
CWE-427
Status published
Products (1)
cisco/anyconnect_secure_mobility_client < 4.8.02042
Published Feb 19, 2020
KEV Added Oct 24, 2022
Tracked Since Feb 18, 2026