CVE-2012-2494

Name of the Vulnerable Software and Affected Versions Cisco AnyConnect Secure Mobility Client versions 2.x through 2.5 MR5 Cisco AnyConnect Secure Mobility Client versions 3.x through 3.0 MR7

Description The issue concerns the VPN downloader implementation in the WebLaunch feature, which does not compare the timestamp of offered software to the timestamp of installed software. This allows remote attackers to force a version downgrade by using ActiveX or Java components to offer signed code that corresponds to an older software release.

Recommendations For Cisco AnyConnect Secure Mobility Client versions 2.x through 2.5 MR5, update to version 2.5 MR6 or later. For Cisco AnyConnect Secure Mobility Client versions 3.x through 3.0 MR7, update to version 3.0 MR8 or later.