A high-severity vulnerability exists in the AWS Client VPN installer for Windows that could allow a local attacker to gain complete control over a user's computer. The installer insecurely searches for a configuration file in a predictable, non-standard location, enabling an attacker to place a malicious file that gets executed during installation. Successful exploitation would grant the attacker administrative privileges, leading to a full system compromise.

The AWS Client VPN client installer for Windows is vulnerable to a local privilege escalation. During the installation process, the software attempts to load an OpenSSL configuration file from a hardcoded, insecure directory: C:\usr\local\windows-x86_64-openssl-localbuild\ssl. On standard Windows configurations, any authenticated user can create directories at the root of the C: drive. An attacker with low-privileged local access can pre-create this specific directory path and place a specially crafted, malicious OpenSSL configuration file within it. When a privileged user runs the installer, it will load and parse the attacker's malicious file, which can be engineered to load a malicious OpenSSL engine, resulting in arbitrary code execution with SYSTEM-level privileges.

This vulnerability is rated as High severity with a CVSS score of 7.8, posing a significant risk to the organization. Successful exploitation allows a local, unprivileged attacker to escalate their privileges to the highest level (SYSTEM) on an affected Windows workstation. This complete compromise of an endpoint could lead to the theft of sensitive corporate data and user credentials, the installation of persistent malware like ransomware or spyware, and the attacker using the compromised machine as a beachhead for lateral movement across the corporate network. The impact could range from a single compromised workstation to a wider network breach, depending on the attacker's objectives and the network's security posture.

Immediate Action: Organizations must prioritize the deployment of the security updates provided by AWS for the Client VPN software across all affected Windows endpoints. According to the vendor's guidance, this is the primary method to fully mitigate the vulnerability. After patching, continue to monitor systems for any signs of pre-patch exploitation attempts and review relevant system and access logs.

Proactive Monitoring: Security teams should implement monitoring to detect potential exploitation attempts. This includes creating alerts within Endpoint Detection and Response (EDR) or Security Information and Event Management (SIEM) systems for the creation of the directory path C:\usr\ on Windows endpoints, as this is a primary indicator of compromise (IoC) for this vulnerability. Additionally, monitor process execution logs for the AWS installer process accessing files within this unusual path.

Compensating Controls: If immediate patching is not feasible, organizations can implement compensating controls to reduce risk. Use an EDR solution or a Group Policy Object (GPO) to explicitly block the creation of the C:\usr\ directory by non-administrative users. Implementing application control policies, such as Windows Defender Application Control (WDAC) or AppLocker, can prevent the loading of unauthorized DLLs or OpenSSL engines, which would disrupt the final stage of the exploit chain.

Public Exploit Available: false

Given the High severity (CVSS 7.8) of this vulnerability and the potential for complete system compromise, immediate remediation is strongly recommended. Although this CVE is not currently listed on the CISA KEV catalog, the risk of local privilege escalation is significant, especially in environments where users may be tricked into running malicious code that could then leverage this flaw. We advise organizations to treat this as a high-priority vulnerability and apply the vendor-supplied patches without delay. If patching is deferred, the compensating controls outlined above should be implemented as a temporary risk-reduction measure.