The Cisco AnyConnect Secure Mobility Client is a VPN client that provides remote users with secure IPsec or SSL VPN connections to Cisco 5500 Series Adaptive Security Appliances and devices that are running Cisco iOS software, the company explained.
“The vulnerabilities described in this advisory all are exploited via the software update mechanisms used to perform WebLaunch-initiated web deployment. All affected versions of Cisco AnyConnect Secure Mobility Client, regardless of how they were deployed onto end-user systems, are susceptible to exploitation. In addition, because the WebLaunch components are signed by Cisco and because of these vulnerabilities can allow for the arbitrary installation of malicious software, any end-user system that instantiates the vulnerable WebLaunch downloader components may be impacted, including systems that have never installed Cisco AnyConnect Secure Mobility Client”, the security advisory said.
Two of the vulnerabilities could enable an attacker to execute malicious code on a user’s system, according to the security note. The other two could enable an attacker to downgrade the client to an older version. The vulnerabilities do not affected Cisco AnyConnect Client software that runs on iOS, Cisco Cius, or Google Android.