CVE-2012-2493 : The VPN downloader implementation in the WebLaunch feature in Cisco AnyConnect S

The VPN downloader implementation in the WebLaunch feature in Cisco AnyConnect Secure Mobility Client 2.x before 2.5 MR6 on Windows, and 2.x before 2.5 MR6 and 3.x before 3.0 MR8 on Mac OS X and Linux, does not properly validate binaries that are received by the downloader process, which allows remote attackers to execute arbitrary code via vectors involving (1) ActiveX or (2) Java components, aka Bug ID CSCtw47523.

Published 2012-06-20 20:55:02

Updated 2025-04-11 00:51:22

Source Cisco Systems, Inc.

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2012-2493

Cisco » Anyconnect Secure Mobility Client » Version: 2.0
cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.0:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows
Cisco » Anyconnect Secure Mobility Client » Version: 2.2.133
cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.2.133:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows
Cisco » Anyconnect Secure Mobility Client » Version: 2.2.128
cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.2.128:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows
Cisco » Anyconnect Secure Mobility Client » Version: 2.2.140
cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.2.140:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows
Cisco » Anyconnect Secure Mobility Client » Version: 2.2.136
cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.2.136:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows
Cisco » Anyconnect Secure Mobility Client » Version: 2.1
cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.1:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows
Cisco » Anyconnect Secure Mobility Client » Version: 2.2
cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.2:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows
Cisco » Anyconnect Secure Mobility Client » Version: 2.3
cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.3:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows
Cisco » Anyconnect Secure Mobility Client » Version: 2.3.2016
cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.3.2016:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows
Cisco » Anyconnect Secure Mobility Client » Version: 3.0
cpe:2.3:a:cisco:anyconnect_secure_mobility_client:3.0:*:*:*:*:*:*:*
Matching versions
When used together with: Apple » Mac Os X
When used together with: Linux » Linux Kernel
Cisco » Anyconnect Secure Mobility Client » Version: 2.4
cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.4:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows
Cisco » Anyconnect Secure Mobility Client » Version: 2.4.1012
cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.4.1012:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows
Cisco » Anyconnect Secure Mobility Client » Version: 2.4.0202
cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.4.0202:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows
Cisco » Anyconnect Secure Mobility Client » Version: 2.5
cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.5:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows
Cisco » Anyconnect Secure Mobility Client » Version: 2.3.254
cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.3.254:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows
Cisco » Anyconnect Secure Mobility Client » Version: 2.3.185
cpe:2.3:a:cisco:anyconnect_secure_mobility_client:2.3.185:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows

Exploit prediction scoring system (EPSS) score for CVE-2012-2493

EPSS FAQ

1.58%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 80 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2012-2493

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2012-2493

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2012-2493

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ac

Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2012-2493

Products affected by CVE-2012-2493

Exploit prediction scoring system (EPSS) score for CVE-2012-2493

CVSS scores for CVE-2012-2493

CWE ids for CVE-2012-2493

References for CVE-2012-2493