PT-2020-13278 · Anchorfree · Anchorfree Vpn Sdk

Published

2020-05-21

Updated

2020-07-01

CVE-2020-12828

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions AnchorFree VPN SDK versions prior to 1.3.3.218

Description An issue was discovered in the AnchorFree VPN SDK where the VPN SDK service takes certain executable locations over a socket bound to localhost. Binding to the socket and providing a path where a malicious executable file resides leads to executing the malicious executable file with SYSTEM privileges.

Recommendations For AnchorFree VPN SDK versions prior to 1.3.3.218, update to version 1.3.3.218 or later to resolve the issue. As a temporary workaround, consider restricting access to the socket bound to localhost to minimize the risk of exploitation.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2020-12828

Affected Products

Anchorfree Vpn Sdk

PT-2020-13278 · Anchorfree · Anchorfree Vpn Sdk

CVE-2020-12828

Weakness Enumeration

Related Identifiers

Affected Products

References · 7