Home

Description

Improper Link Resolution Before File Access in the AWS VPN Client for macOS versions 1.3.2- 5.2.0 allows a local user to execute code with elevated privileges. Insufficient validation checks on the log destination directory during log rotation could allow a non-administrator user to create a symlink from a client log file to a privileged location. On log rotation, this could lead to code execution with root privileges if the user made crafted API calls which injected arbitrary code into the log file. We recommend users upgrade to AWS VPN Client for macOS 5.2.1 or the latest version.

PUBLISHED Reserved 2025-10-07 | Published 2025-10-07 | Updated 2025-10-08 | Assigner AMZN




CRITICAL: 9.3CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-59 Improper Link Resolution Before File Access ('Link Following')

Product status

Default status
unaffected

1.3.2 before 5.2.1
affected

References

aws.amazon.com/vpn/client-vpn-download/ patch product

aws.amazon.com/security/security-bulletins/AWS-2025-020/ vendor-advisory

cve.org (CVE-2025-11462)

nvd.nist.gov (CVE-2025-11462)

Download JSON