CVE-2021-1366

HIGH

Cisco AnyConnect Secure Mobility Client < 4.9.05042 - Authenticated DLL Hijacking via IPC Channel

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-1366. PoCs published by koztkozt.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-1366, a local privilege escalation vulnerability in Cisco AnyConnect Secure Mobility Client for Windows. The exploit leverages DLL hijacking via the interprocess communication (IPC) channel of the Cisco Security Service to copy malicious DLLs to a privileged directory, achieving privilege escalation upon service restart.

Description

A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device if the VPN Posture (HostScan) Module is installed on the AnyConnect client. This vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges. To exploit this vulnerability, the attacker needs valid credentials on the Windows system.

Exploits (1)

nomisec WORKING POC
by koztkozt · poc
https://github.com/koztkozt/CVE-2021-1366

This repository contains a functional exploit for CVE-2021-1366, a local privilege escalation vulnerability in Cisco AnyConnect Secure Mobility Client for Windows. The exploit leverages DLL hijacking via the interprocess communication (IPC) channel of the Cisco Security Service to copy malicious DLLs to a privileged directory, achieving privilege escalation upon service restart.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Cisco AnyConnect Secure Mobility Client for Windows (with VPN Posture (HostScan) Module installed)
Auth required
Prerequisites: Authenticated local access · Cisco AnyConnect with VPN Posture (HostScan) Module installed · Malicious DLL prepared for DLL proxying · Process hollowing tool
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 7.8
EPSS 0.0125
EPSS Percentile 66.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-347 CWE-427
Status published
Products (1)
cisco/anyconnect_secure_mobility_client < 4.9.05042
Published Feb 17, 2021
Tracked Since Feb 18, 2026