Main Vulnerability Database Vulnerabilities #VU49533

Insecure DLL loading in Cisco AnyConnect Secure Mobility Client - CVE-2021-1237

Published: January 13, 2021 / Updated: January 14, 2021

Vulnerability identifier: #VU49533

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2021-1237

CWE-ID: CWE-427

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Cisco AnyConnect Secure Mobility Client

Software vendor:
Cisco Systems, Inc

Description

The vulnerability allows a local user to compromise vulnerable system.

The vulnerability exists due to insufficient validation of resources that are loaded by the application at run time in the Network Access Manager and Web Security Agent components. A local user can place a specially crafted .dll file and execute arbitrary code on victim's system.

Remediation

Install updates from vendor's website.

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-injec-pQnryXLf

Insecure DLL loading in Cisco AnyConnect Secure Mobility Client - CVE-2021-1237

Description

Remediation

External links

Please verify you're human