Rapid7 Vulnerability & Exploit Database

Cisco AnyConnect Priv Esc through Path Traversal

Back to Search

Cisco AnyConnect Priv Esc through Path Traversal



The installer component of Cisco AnyConnect Secure Mobility Client for Windows prior to 4.8.02042 is vulnerable to path traversal and allows local attackers to create/overwrite files in arbitrary locations with system level privileges. The attack consists in sending a specially crafted IPC request to the TCP port 62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure Mobility Agent service. This service will then launch the vulnerable installer component (`vpndownloader`), which copies itself to an arbitrary location before being executed with system privileges. Since `vpndownloader` is also vulnerable to DLL hijacking, a specially crafted DLL (`dbghelp.dll`) is created at the same location `vpndownloader` will be copied to get code execution with system privileges. This exploit has been successfully tested against Cisco AnyConnect Secure Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10 version 1909 (x64) and Windows 7 SP1 (x86).


  • Yorick Koster
  • Antoine Goichot (ATGO)
  • Christophe De La Fuente




x86, x64


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/local/anyconnect_path_traversal_lpe
msf exploit(anyconnect_path_traversal_lpe) > show targets
msf exploit(anyconnect_path_traversal_lpe) > set TARGET < target-id >
msf exploit(anyconnect_path_traversal_lpe) > show options
    ...show and set options...
msf exploit(anyconnect_path_traversal_lpe) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security