CVE-2025-20206
Vulnerability from cvelistv5
Published
2025-03-05 16:14
Modified
2025-03-06 04:55
Severity ?
7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
A vulnerability in the interprocess communication (IPC) channel of Cisco Secure Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device if the Secure Firewall Posture Engine, formerly HostScan, is installed on Cisco Secure Client. This vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by sending a crafted IPC message to a specific Cisco Secure Client process. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges. To exploit this vulnerability, the attacker must have valid user credentials on the Windows system.
References
psirt@cisco.comhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-dll-injection-AOyzEqSg
Impacted products
Vendor Product Version
Cisco Cisco Secure Client Version: 4.9.00086
Version: 4.9.01095
Version: 4.9.02028
Version: 4.9.03047
Version: 4.9.03049
Version: 4.9.04043
Version: 4.9.04053
Version: 4.9.05042
Version: 4.9.06037
Version: 4.10.00093
Version: 4.10.01075
Version: 4.10.02086
Version: 4.10.03104
Version: 4.10.04065
Version: 4.10.04071
Version: 4.10.05085
Version: 4.10.05095
Version: 5.0.00238
Version: 4.10.05111
Version: 5.0.00529
Version: 5.0.00556
Version: 4.10.06079
Version: 5.0.01242
Version: 4.10.06090
Version: 5.0.02075
Version: 4.10.07061
Version: 5.0.03072
Version: 4.10.07062
Version: 5.0.03076
Version: 5.0.04032
Version: 4.10.07073
Version: 5.0.05040
Version: 5.1.0.136
Version: 5.1.1.42
Version: 4.10.08025
Version: 5.1.2.42
Version: 4.10.08029
Version: 5.1.3.62
Version: 5.1.4.74
Version: 5.1.5.65
Version: 5.1.6.103
Version: 5.1.7.80
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2025-20206",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-03-05T00:00:00+00:00",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-03-06T04:55:26.276Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unknown",
               product: "Cisco Secure Client",
               vendor: "Cisco",
               versions: [
                  {
                     status: "affected",
                     version: "4.9.00086",
                  },
                  {
                     status: "affected",
                     version: "4.9.01095",
                  },
                  {
                     status: "affected",
                     version: "4.9.02028",
                  },
                  {
                     status: "affected",
                     version: "4.9.03047",
                  },
                  {
                     status: "affected",
                     version: "4.9.03049",
                  },
                  {
                     status: "affected",
                     version: "4.9.04043",
                  },
                  {
                     status: "affected",
                     version: "4.9.04053",
                  },
                  {
                     status: "affected",
                     version: "4.9.05042",
                  },
                  {
                     status: "affected",
                     version: "4.9.06037",
                  },
                  {
                     status: "affected",
                     version: "4.10.00093",
                  },
                  {
                     status: "affected",
                     version: "4.10.01075",
                  },
                  {
                     status: "affected",
                     version: "4.10.02086",
                  },
                  {
                     status: "affected",
                     version: "4.10.03104",
                  },
                  {
                     status: "affected",
                     version: "4.10.04065",
                  },
                  {
                     status: "affected",
                     version: "4.10.04071",
                  },
                  {
                     status: "affected",
                     version: "4.10.05085",
                  },
                  {
                     status: "affected",
                     version: "4.10.05095",
                  },
                  {
                     status: "affected",
                     version: "5.0.00238",
                  },
                  {
                     status: "affected",
                     version: "4.10.05111",
                  },
                  {
                     status: "affected",
                     version: "5.0.00529",
                  },
                  {
                     status: "affected",
                     version: "5.0.00556",
                  },
                  {
                     status: "affected",
                     version: "4.10.06079",
                  },
                  {
                     status: "affected",
                     version: "5.0.01242",
                  },
                  {
                     status: "affected",
                     version: "4.10.06090",
                  },
                  {
                     status: "affected",
                     version: "5.0.02075",
                  },
                  {
                     status: "affected",
                     version: "4.10.07061",
                  },
                  {
                     status: "affected",
                     version: "5.0.03072",
                  },
                  {
                     status: "affected",
                     version: "4.10.07062",
                  },
                  {
                     status: "affected",
                     version: "5.0.03076",
                  },
                  {
                     status: "affected",
                     version: "5.0.04032",
                  },
                  {
                     status: "affected",
                     version: "4.10.07073",
                  },
                  {
                     status: "affected",
                     version: "5.0.05040",
                  },
                  {
                     status: "affected",
                     version: "5.1.0.136",
                  },
                  {
                     status: "affected",
                     version: "5.1.1.42",
                  },
                  {
                     status: "affected",
                     version: "4.10.08025",
                  },
                  {
                     status: "affected",
                     version: "5.1.2.42",
                  },
                  {
                     status: "affected",
                     version: "4.10.08029",
                  },
                  {
                     status: "affected",
                     version: "5.1.3.62",
                  },
                  {
                     status: "affected",
                     version: "5.1.4.74",
                  },
                  {
                     status: "affected",
                     version: "5.1.5.65",
                  },
                  {
                     status: "affected",
                     version: "5.1.6.103",
                  },
                  {
                     status: "affected",
                     version: "5.1.7.80",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "A vulnerability in the interprocess communication (IPC) channel of Cisco Secure Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device if the Secure Firewall Posture Engine, formerly HostScan, is installed on Cisco Secure Client.\r\n\r\nThis vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by sending a crafted IPC message to a specific Cisco Secure Client process. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges. To exploit this vulnerability, the attacker must have valid user credentials on the Windows system.",
            },
         ],
         exploits: [
            {
               lang: "en",
               value: "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "NONE",
                  baseScore: 7.1,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                  version: "3.1",
               },
               format: "cvssV3_1",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-347",
                     description: "Improper Verification of Cryptographic Signature",
                     lang: "en",
                     type: "cwe",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2025-03-05T16:14:00.258Z",
            orgId: "d1c1063e-7a18-46af-9102-31f8928bc633",
            shortName: "cisco",
         },
         references: [
            {
               name: "cisco-sa-secure-dll-injection-AOyzEqSg",
               url: "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-dll-injection-AOyzEqSg",
            },
         ],
         source: {
            advisory: "cisco-sa-secure-dll-injection-AOyzEqSg",
            defects: [
               "CSCwn03265",
            ],
            discovery: "EXTERNAL",
         },
         title: "Cisco Secure Client for Windows with VPN Posture (HostScan) Module DLL Hijacking Vulnerability",
      },
   },
   cveMetadata: {
      assignerOrgId: "d1c1063e-7a18-46af-9102-31f8928bc633",
      assignerShortName: "cisco",
      cveId: "CVE-2025-20206",
      datePublished: "2025-03-05T16:14:00.258Z",
      dateReserved: "2024-10-10T19:15:13.230Z",
      dateUpdated: "2025-03-06T04:55:26.276Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2025-20206\",\"sourceIdentifier\":\"psirt@cisco.com\",\"published\":\"2025-03-05T17:15:14.450\",\"lastModified\":\"2025-03-05T17:15:14.450\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability in the interprocess communication (IPC) channel of Cisco Secure Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device if the Secure Firewall Posture Engine, formerly HostScan, is installed on Cisco Secure Client.\\r\\n\\r\\nThis vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by sending a crafted IPC message to a specific Cisco Secure Client process. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges. To exploit this vulnerability, the attacker must have valid user credentials on the Windows system.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@cisco.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"psirt@cisco.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-347\"}]}],\"references\":[{\"url\":\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-dll-injection-AOyzEqSg\",\"source\":\"psirt@cisco.com\"}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-20206\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-05T16:40:00.570189Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-05T16:40:59.171Z\"}}], \"cna\": {\"title\": \"Cisco Secure Client for Windows with VPN Posture (HostScan) Module DLL Hijacking Vulnerability\", \"source\": {\"defects\": [\"CSCwn03265\"], \"advisory\": \"cisco-sa-secure-dll-injection-AOyzEqSg\", \"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"format\": \"cvssV3_1\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.1, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Cisco\", \"product\": \"Cisco Secure Client\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.9.00086\"}, {\"status\": \"affected\", \"version\": \"4.9.01095\"}, {\"status\": \"affected\", \"version\": \"4.9.02028\"}, {\"status\": \"affected\", \"version\": \"4.9.03047\"}, {\"status\": \"affected\", \"version\": \"4.9.03049\"}, {\"status\": \"affected\", \"version\": \"4.9.04043\"}, {\"status\": \"affected\", \"version\": \"4.9.04053\"}, {\"status\": \"affected\", \"version\": \"4.9.05042\"}, {\"status\": \"affected\", \"version\": \"4.9.06037\"}, {\"status\": \"affected\", \"version\": \"4.10.00093\"}, {\"status\": \"affected\", \"version\": \"4.10.01075\"}, {\"status\": \"affected\", \"version\": \"4.10.02086\"}, {\"status\": \"affected\", \"version\": \"4.10.03104\"}, {\"status\": \"affected\", \"version\": \"4.10.04065\"}, {\"status\": \"affected\", \"version\": \"4.10.04071\"}, {\"status\": \"affected\", \"version\": \"4.10.05085\"}, {\"status\": \"affected\", \"version\": \"4.10.05095\"}, {\"status\": \"affected\", \"version\": \"5.0.00238\"}, {\"status\": \"affected\", \"version\": \"4.10.05111\"}, {\"status\": \"affected\", \"version\": \"5.0.00529\"}, {\"status\": \"affected\", \"version\": \"5.0.00556\"}, {\"status\": \"affected\", \"version\": \"4.10.06079\"}, {\"status\": \"affected\", \"version\": \"5.0.01242\"}, {\"status\": \"affected\", \"version\": \"4.10.06090\"}, {\"status\": \"affected\", \"version\": \"5.0.02075\"}, {\"status\": \"affected\", \"version\": \"4.10.07061\"}, {\"status\": \"affected\", \"version\": \"5.0.03072\"}, {\"status\": \"affected\", \"version\": \"4.10.07062\"}, {\"status\": \"affected\", \"version\": \"5.0.03076\"}, {\"status\": \"affected\", \"version\": \"5.0.04032\"}, {\"status\": \"affected\", \"version\": \"4.10.07073\"}, {\"status\": \"affected\", \"version\": \"5.0.05040\"}, {\"status\": \"affected\", \"version\": \"5.1.0.136\"}, {\"status\": \"affected\", \"version\": \"5.1.1.42\"}, {\"status\": \"affected\", \"version\": \"4.10.08025\"}, {\"status\": \"affected\", \"version\": \"5.1.2.42\"}, {\"status\": \"affected\", \"version\": \"4.10.08029\"}, {\"status\": \"affected\", \"version\": \"5.1.3.62\"}, {\"status\": \"affected\", \"version\": \"5.1.4.74\"}, {\"status\": \"affected\", \"version\": \"5.1.5.65\"}, {\"status\": \"affected\", \"version\": \"5.1.6.103\"}, {\"status\": \"affected\", \"version\": \"5.1.7.80\"}], \"defaultStatus\": \"unknown\"}], \"exploits\": [{\"lang\": \"en\", \"value\": \"The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.\"}], \"references\": [{\"url\": \"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-dll-injection-AOyzEqSg\", \"name\": \"cisco-sa-secure-dll-injection-AOyzEqSg\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability in the interprocess communication (IPC) channel of Cisco Secure Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device if the Secure Firewall Posture Engine, formerly HostScan, is installed on Cisco Secure Client.\\r\\n\\r\\nThis vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by sending a crafted IPC message to a specific Cisco Secure Client process. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges. To exploit this vulnerability, the attacker must have valid user credentials on the Windows system.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"cwe\", \"cweId\": \"CWE-347\", \"description\": \"Improper Verification of Cryptographic Signature\"}]}], \"providerMetadata\": {\"orgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"shortName\": \"cisco\", \"dateUpdated\": \"2025-03-05T16:14:00.258Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2025-20206\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-06T04:55:26.276Z\", \"dateReserved\": \"2024-10-10T19:15:13.230Z\", \"assignerOrgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"datePublished\": \"2025-03-05T16:14:00.258Z\", \"assignerShortName\": \"cisco\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.