CVE-2020-3432 – This vulnerability in Cisco AnyConnect Secure M... (How to Fix)

Q: What is the severity of CVE-2020-3432?

CVE-2020-3432 has a CVSS score of 5.6 (MEDIUM). This vulnerability in Cisco AnyConnect Secure Mobility Client for Mac OS allows authenticated local attackers to corrupt files via symlink attacks. Attackers need valid system credentials to exploit it. The vulnerability affects Mac OS users running vulnerable AnyConnect versions.

📋 TL;DR

This vulnerability in Cisco AnyConnect Secure Mobility Client for Mac OS allows authenticated local attackers to corrupt files via symlink attacks. Attackers need valid system credentials to exploit it. The vulnerability affects Mac OS users running vulnerable AnyConnect versions.

💻 Affected Systems

Products:

Cisco AnyConnect Secure Mobility Client

Versions: Versions prior to 4.9.00086

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Mac OS installations. Requires local authenticated access to exploit.

📦 What is this software?

Anyconnect Secure Mobility Client by Cisco

View all CVEs affecting Anyconnect Secure Mobility Client →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Critical system file corruption leading to denial of service, system instability, or potential privilege escalation if sensitive files are targeted.

🟠

Likely Case

Local file corruption causing application failures, data loss, or system instability for targeted users.

🟢

If Mitigated

Minimal impact with proper access controls and monitoring in place to detect unusual symlink activity.

🌐 Internet-Facing: LOW - Requires local access and authentication, not remotely exploitable.

🏢 Internal Only: MEDIUM - Internal attackers with valid credentials could exploit this to disrupt systems or corrupt data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Simple symlink attack once authenticated.

Exploitation requires local authenticated access and knowledge of specific vulnerable paths.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.9.00086 and later

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-mac-dos-36s2y3Lv

Restart Required: Yes

Instructions:

1. Download AnyConnect version 4.9.00086 or later from Cisco. 2. Uninstall current AnyConnect client. 3. Install updated version. 4. Restart system.

🔧 Temporary Workarounds

No official workarounds

all

Cisco states there are no workarounds for this vulnerability

🧯 If You Can't Patch

Restrict local user access to systems running vulnerable AnyConnect versions
Implement file integrity monitoring to detect unauthorized file modifications

🔍 How to Verify

Check if Vulnerable:

Check AnyConnect version via GUI (About) or command line: /opt/cisco/anyconnect/bin/anyconnect_version

Check Version:

/opt/cisco/anyconnect/bin/anyconnect_version

Verify Fix Applied:

Verify version is 4.9.00086 or higher using same command

📡 Detection & Monitoring

Log Indicators:

Unusual symlink creation in system directories
File modification errors in system logs
AnyConnect uninstaller process failures

Network Indicators:

None - local attack only

SIEM Query:

Process creation where command_line contains 'uninstall' AND parent_process contains 'AnyConnect' AND file_path contains symbolic link patterns

📊 Metadata

CVE ID: CVE-2020-3432

CVSS v3 Score: 5.6 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H

CWE: CWE-59

EPSS Score: 0.04% exploit probability (10th percentile)

Published: February 12, 2025

Last Updated: June 24, 2025

🔗 References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-mac-dos-36s2y3Lv Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-3432, you might also want to check these: