CVE-2021-1519 MEDIUM

CVE-2021-1519: Cisco AnyConnect Secure Mobility Client Profile Modification Vulnerability

Vendor Cisco
Product Cisco AnyConnect Secure Mobility Client
Weakness CWE-20 · Input validation
Published May 6, 2021
Last update November 8, 2024

CVSS base score

4.7/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to overwrite VPN profiles on an affected device. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process. A successful exploit could allow the attacker to modify VPN profile files. To exploit this vulnerability, the attacker must have valid credentials on the affected system.

Key dates

02Disclosure timeline

May 6, 2021 CVE published
November 8, 2024 Record updated