Six months after disclosing a zero-day arbitrary code execution vulnerability in the Cisco AnyConnect Secure Mobility Client VPN software, the company finally resolved the issue.
The security flaw was identified by the Cisco Product Security Incident Response Team in November 2020, but PSIRT was slow to take action because the team believed that the security bug didn’t put users’ devices at risk. Still, the security shortcoming could have enabled attackers to send crafted IPC messages to the AnyConnect client and run the malicious code. For its part, Cisco doesn’t believe that it has been exploited.
With the release of the latest version of the Secure Mobility Client Software, the vulnerability has been addressed. According to Cisco, customers who cannot immediately install the security updates can minimize any potential risks from the vulnerability by toggling off the Auto-Update feature.
Cisco’s internal security team located the vulnerability in the AnyConnect Secure Mobility Client, which is tasked with connecting remote workers to the corporate network through a secure VPN connection with the help of SSL and IPsec IKEv2 protocols.
The flaw has a score of 7.3 on the Common Vulnerability Scoring System. This is high because the configurations where the vulnerability is exploitable gives potential snoopers access to user data.
To apply one of the many patches Cisco rolled out in 2021, users need to download the updates by visiting the Software Center on Cisco.com. From there, select Browse all. Then, hit Routers – Small Business Routers – Small Business RV Series Routers and pick the router model that needs to be targeted.
This has been a rough year for cybersecurity professionals. It remains to be seen whether the evolution of cyber threats and the growing number of attacks will persist in the coming months. In the meantime, users are advised to protect their sensitive data by using state-of-art VPN software and regularly checking for security updates.