CVE-2025-8069 | THREATINT

Description

During the AWS Client VPN client installation on Windows devices, the install process references the C:\usr\local\windows-x86_64-openssl-localbuild\ssl directory location to fetch the OpenSSL configuration file. As a result, a non-admin user could place arbitrary code in the configuration file. If an admin user starts the AWS Client VPN client installation process, that code could be executed with root-level privileges. This issue does not affect Linux or Mac devices. We recommend users discontinue any new installations of AWS Client VPN on Windows prior to version 5.2.2.

PUBLISHED Reserved 2025-07-22 | Published 2025-07-23 | Updated 2025-10-14 | Assigner AMZN

HIGH: 7.3CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-276 Incorrect Default Permissions

Product status

Default status

unaffected

4.1.0 (semver)

affected

5.0.0 (semver) before 5.2.2

affected

References

aws.amazon.com/security/security-bulletins/AWS-2025-014/ vendor-advisory

docs.aws.amazon.com/...pn-connect-windows-release-notes.html patch release-notes

cve.org (CVE-2025-8069)

nvd.nist.gov (CVE-2025-8069)

Download JSON