AWS Client VPN for Windows Vulnerability Could Allow Privilege Escalation
Amazon Web Services has disclosed a critical security vulnerability in its Client VPN software for Windows that could allow non-administrative users to escalate their privileges to root-level access during the installation process.
The vulnerability, tracked as CVE-2025-8069, affects multiple versions of the AWS Client VPN client and has been addressed in the latest software update.
Vulnerability Details
| CVE ID | CVE-2025-8069 |
| Affected Product | AWS Client VPN Windows Client |
| Vulnerability Type | Local Privilege Escalation |
| Severity | Important |
| Publication Date | July 23, 2025, 8:30 AM PDT |
| Affected Versions | 4.1.0, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.2.0, 5.2.1 |
| Fixed Version | 5.2.2 |
The vulnerability stems from a flaw in the AWS Client VPN installation process on Windows devices. During installation, the software references a specific directory path at C:usrlocalwindows-x86_64-openssl-localbuildssl to retrieve the OpenSSL configuration file.
This design flaw creates an opportunity for malicious actors to exploit the installation process.
The security issue allows a non-administrative user to place arbitrary code within the OpenSSL configuration file at the referenced location.
When an administrator subsequently initiates the AWS Client VPN client installation, the malicious code is executed with elevated root-level privileges, effectively granting the attacker administrative access to the system.
AWS has confirmed that this vulnerability exclusively affects Windows installations of the Client VPN software. Linux and macOS versions of the client remain unaffected by this particular security flaw.
The AWS Client VPN service is a managed client-based VPN solution that provides secure access to both AWS cloud resources and on-premises infrastructure through encrypted tunnels.
Amazon has released AWS Client VPN Client version 5.2.2 to address this security vulnerability. The company strongly recommends that users immediately discontinue any new installations of AWS Client VPN versions prior to 5.2.2 on Windows systems.
Organizations should prioritize updating to the patched version to prevent potential privilege escalation attacks.
Currently, AWS has not provided any workarounds for affected versions, making the software update the only viable solution to mitigate the risk.
The vulnerability was discovered through collaboration with the Zero Day Initiative, following responsible disclosure practices.
This coordinated approach allowed AWS to develop and release a patch before the vulnerability details became publicly available, minimizing potential exploitation risks.
Organizations using AWS Client VPN on Windows systems should immediately assess their current software versions and implement the necessary updates to maintain security posture and prevent unauthorized privilege escalation attacks.
Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now
Source link
