By 
Cisco today disclosed a zero-day vulnerability with proof-of-concept attack code publicly accessible in the Cisco AnyConnect Secure Mobility Client software.
While security patches for this arbitrary code execution flaw are still not available, Cisco is working to resolve the zero-day issue, with a patch coming in a future version of the AnyConnect client.
Nevertheless, according to the Cisco Product Security Incident Response Team (PSIRT), the Cisco AnyConnect Secure Mobility Client security vulnerability has not been abused in the wild yet.
In the Cisco AnyConnect Client interprocess communication (IPC) channel, the high severity vulnerability monitored as CVE-2020-3556 exists and may allow authorized and local attackers to execute malicious scripts through a targeted user.
This affects all AnyConnect client versions with vulnerable configurations for Windows, Linux, and macOS. However, this vulnerability does not impact iOS and Android clients.
“A vulnerable configuration requires both the Auto Update setting and Enable Scripting setting to be enabled,” Cisco explains. “Auto Update is enabled by default, and Enable Scripting is disabled by default.”
Successful exploitation often requires active AnyConnect sessions and the targeted device with valid credentials.
Although there are no alternative solutions available to fix CVE-2020-3556, disabling the Auto-Update feature can mitigate it.
The attack surface can also be drastically reduced by turning off the configuration setting of Enable Scripting on devices where it is enabled.
Gerbert Roitburd, from the Secure Mobile Networking Lab (TU Darmstadt), disclosed the vulnerability to Cisco.
In different items, Cisco today also patched 11 other high severity and 23 medium severity security bugs that could lead to denial of service or arbitrary execution of code on compromised devices.
In September and July, Cisco has patched actively exploited flaws in several carrier-grade routers and the ASA / FTD firewall, respectively.
