PT-2025-30596 · Amazon Web Services+1 · Aws Client Vpn+1
Published
2025-07-23
·
Updated
2025-10-14
·
CVE-2025-8069
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
AWS Client VPN versions prior to 5.2.2
Description
During the installation process on Windows devices, the AWS Client VPN client references a specific directory (
C:usrlocalwindows-x86 64-openssl-localbuildssl) to retrieve the OpenSSL configuration file. This allows a non-administrator user to potentially place arbitrary code within this configuration file. Subsequently, if an administrator user initiates the AWS Client VPN client installation, this code could be executed with elevated privileges. This issue does not impact Linux or Mac operating systems.Recommendations
Discontinue any new installations of AWS Client VPN on Windows versions prior to 5.2.2.
Fix
LPE
Incorrect Default Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Aws Client Vpn
Openssl