Version Downgrade Vulnerability in Cisco AnyConnect Secure Mobility Client
CVE-2012-2495

Currently unrated

Key Information:

Vendor: Cisco
Status: Secure Desktop; Anyconnect Secure Mobility Client
Vendor: CVE Published:; 20 June 2012

Summary

The HostScan downloader in Cisco AnyConnect Secure Mobility Client versions prior to 3.0 MR8 fails to validate the timestamp of software offered for installation against the currently installed version. This oversight allows malicious actors to exploit the system by using ActiveX or Java elements to present older, vulnerable software versions, which may expose the client to known security risks. Organizations reliant on the affected Cisco products are urged to update promptly and review their security configurations to mitigate potential threats.

References

http://tools.cisco.com/security/center/content/CiscoSecur...

vendor-advisoryx_refsource_CISCO

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Jun 20, 2012