—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Privilege Escalation Vulnerability in AWS Client VPN 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

AWS Client VPN versions prior to 5.2.2 for Windows

Overview

A vulnerability has been reported in AWS Client VPN, which could be exploited by a local attacker with low-privilege access to potentially escalate permissions and execute arbitrary code on the targeted system.

Target Audience:

All organizations and individuals using AWS Client VPN.

Impact Assessment:

Potential for privilege escalation, and execution of arbitrary code.

Risk Assessment:

High risk of unauthorized access, and full system compromise.

Description

AWS Client VPN is a managed client-based VPN service that enables secure access to AWS and on-premises resources. The AWS Client VPN client software runs on end-user devices, supporting Windows, macOS, and Linux and provides the ability for end users to establish a secure tunnel to the AWS Client VPN Service.

The vulnerability exists in AWS Client VPN due to the flawed installation process which involves an insecure directory reference during OpenSSL configuration file retrieval. An attacker could exploit this vulnerability by placing malicious crafted code in the configuration file.

Successful exploitation of this vulnerability could allow a local attacker with low-privilege access to potentially escalate permissions and execute arbitrary code on the targeted system.

Solution

Apply appropriate fixes mentioned by:

https://aws.amazon.com/security/security-bulletins/AWS-2025-014/

Vendor Information

AWS

https://aws.amazon.com/vpn/client-vpn/

References

AWS

https://aws.amazon.com/security/security-bulletins/AWS-2025-014/

CVE Name

CVE-2025-8069

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmiIzwgACgkQ3jCgcSdc

ys+3ShAApaPQZHj4EiCtSsrMrcknZDsJ04EljRWZauvGgQRv6MeJ1cypF2B6HZjX

ScLcpJbHqHJ50BI3Z+SfI+0RBX/wseAVUiHMoW4ibg3AhNyxkyVRYaDyk1/HaGIT

iOWBQnnDz/dLgYBrI5G4IySxOltFe21KOrOD5YD+MtxC89DH96bL59eb722JWHgG

GyFFdxh2OlhuyQljmtRWbYbPgP7DfkrMJ8CNFtB7Ml76rmGvIoOFAgt6XF0EqPIp

xdwCFuKz20mEPlBFG9QhVCtaT4tv5FusQ7FUVjBdcRGS0d+MRxy5zdCvjtMxv8iU

p5e2nG1RtzTQNzDr0TltNt3keIWd2XjQRuoZHK3scAi+56vxuY+YgrpGWzIpV4LG

79vO1vmNe3FpNxIJg80MIIqmO2MGhfTosc+b5M3AyT0PTQDfKT0tSDFsjfczQgUm

Rmd14o+BXPUytuWMlVMfmHdxcWZrYXKK0UvG795NUpQO74hE/42thATJfCh0Klfq

nvumTTJa7YEOoCHCl8v/G7vfvBC+t2GC0/iuYEEeCrhLypv/qYFWqah04j9kFJ2j

vcmzmH7ONmxjvOsLdNKBkdr32uyOsq/UIskQWIvHwk/Knh9/cwW5whaG+p8kh/k7

RF8J01lkCSm8Kll2sE0sCdaSI2oYUce2o0J8aIsg0FrZOuySXcU=

=etHO

—–END PGP SIGNATURE—–