CVE-2020-3433

HIGH KEV RANSOMWARE

Cisco AnyConnect Secure Mobility Client for Windows - DLL Hijacking

Title source: llm

Exploitation Summary

CVE-2020-3433 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 24, 2022, with confirmed use in ransomware campaigns. EIP tracks 1 public exploit from researchers including goichot.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2020-3433, targeting Cisco ASA/FTD devices. The PoC demonstrates privilege escalation via a crafted payload, leveraging a vulnerability in the VPN functionality.

Description

A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system. The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.

Exploits (1)

nomisec WORKING POC 43 stars

by goichot · local

https://github.com/goichot/CVE-2020-3433

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2020-3433, targeting Cisco ASA/FTD devices. The PoC demonstrates privilege escalation via a crafted payload, leveraging a vulnerability in the VPN functionality.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Cisco ASA/FTD (versions affected by CVE-2020-3433)

Auth required

Prerequisites: Access to a vulnerable Cisco ASA/FTD device · Valid credentials for initial access

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory vendor-advisory x_refsource_cisco

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-F26WwJW

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/159420/Cisco-AnyConnect-Privilege-Escalation.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3433

Scores

CVSS v3 7.8

EPSS 0.0446

EPSS Percentile 89.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-10-24

VulnCheck KEV 2022-10-20

InTheWild.io 2022-10-24

ENISA EUVD EUVD-2020-24704

Ransomware Use Confirmed

CWE

CWE-427

Status published

Products (1)

cisco/anyconnect_secure_mobility_client < 4.9.00086

Published Aug 17, 2020

KEV Added Oct 24, 2022

Tracked Since Feb 18, 2026