CVE-2023-20178

HIGH

Cisco AnyConnect Secure Mobility Client and Secure Client - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-20178. PoCs published by Wh04m1001.

AI-analyzed exploit summary This PoC exploits an arbitrary file delete vulnerability in Cisco Secure Client and AnyConnect VPN software by abusing the vpndownloader.exe process to delete files as NT Authority\SYSTEM. It leverages a race condition and oplock mechanisms to achieve privilege escalation via Windows Installer behavior.

Description

A vulnerability in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. The client update process is executed after a successful VPN connection is established. This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the update process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges.

Exploits (1)

nomisec WORKING POC 90 stars

by Wh04m1001 · poc

https://github.com/Wh04m1001/CVE-2023-20178

View Code ZIP pw:eip

This PoC exploits an arbitrary file delete vulnerability in Cisco Secure Client and AnyConnect VPN software by abusing the vpndownloader.exe process to delete files as NT Authority\SYSTEM. It leverages a race condition and oplock mechanisms to achieve privilege escalation via Windows Installer behavior.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Racy

Target: Cisco Secure Client (5.0.01242), Cisco AnyConnect (4.10.06079)

No auth needed

Prerequisites: VPN connection initiated to trigger vpndownloader.exe · Ability to create directories in C:\Windows\Temp

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1499.004 - Application or System Exploitation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw

Scores

CVSS v3 7.8

EPSS 0.0593

EPSS Percentile 92.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-276

Status published

Products (2)

cisco/anyconnect_secure_mobility_client < 4.10.07061

cisco/secure_client < 5.0.02075

Published Jun 28, 2023

Tracked Since Feb 18, 2026