AWS VPN Client for macOS Privilege Escalation Vulnerability (CVE-2025-11462)
A critical vulnerability, tracked as CVE-2025-11462, was discovered in the AWS Client VPN application for macOS, allowing local users to escalate privileges to root. The flaw, which received a CVSS score of 9.3, is caused by improper link resolution before file access in the AWS VPN Client for macOS versions 1.3.2 through 5.2.0. Insufficient validation checks on the log destination directory during log rotation enable a non-administrator user to create a symbolic link from a client log file to a privileged location. When log rotation occurs, this symlink can be exploited to inject arbitrary code into the log file, which is then executed with root privileges. The vulnerability is not remotely exploitable, requiring local access to the affected system. Security researchers highlighted that a crafted API call could be used to inject malicious code into the log file, further increasing the risk of exploitation. AWS has released a patched version, AWS VPN Client for macOS 5.2.1, and strongly recommends all users upgrade to this or the latest available version to mitigate the risk. The vulnerability was publicly disclosed on October 7, 2025, and has been classified as critical due to the potential for full system compromise. No evidence of active exploitation in the wild has been reported at the time of disclosure, but the technical details suggest that exploitation would be straightforward for a local attacker. The flaw does not affect other operating systems or AWS VPN clients for platforms other than macOS. Organizations using affected versions are urged to update immediately and review system logs for any signs of suspicious activity. The vulnerability underscores the importance of secure log handling and proper validation of file operations in privileged applications. Security advisories recommend restricting local access to systems running vulnerable versions until patches are applied. The issue was identified and reported through responsible disclosure channels, and AWS responded promptly with a fix. The vulnerability highlights ongoing risks associated with privilege escalation flaws in widely used enterprise software.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
CVE-2025-11462 disclosed for AWS Client VPN macOS Client
A local privilege escalation vulnerability, tracked as CVE-2025-11462, was publicly disclosed affecting the AWS Client VPN macOS Client. Reporting described the flaw as critical, with a CVSS score of 9.3, and said it could allow escalation to root privileges on macOS.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Critical AWS VPN Client Flaw CVE-2025-11462 (CVSS 9.3) Allows Root Privilege Escalation on macOS
securityonline.info
Open sourceCVE-2025-11462 - Local Privilege Escalation Vulnerability in AWS Client VPN macOS Client
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Authentication Token Exposure Vulnerability in Amazon WorkSpaces Client for Linux
A critical vulnerability, tracked as CVE-2025-12779, was discovered in the Amazon WorkSpaces client for Linux, specifically affecting versions 2023.0 through 2024.8. The flaw arises from improper handling of authentication tokens, which can allow local users on the same client machine to extract valid tokens and gain unauthorized access to other users’ WorkSpace sessions. AWS issued a security bulletin (AWS-2025-025) on November 5, 2025, categorizing the issue as important and urging immediate remediation to prevent potential credential exposure on shared systems. The vulnerability does not allow for remote exploitation but poses a significant risk in environments where multiple users share the same Linux client. AWS recommends upgrading to version 2025.0 or later of the Amazon WorkSpaces client for Linux to mitigate the risk. Organizations relying on AWS virtual desktop infrastructure are advised to review their deployments and ensure all affected clients are updated to prevent unauthorized access and potential data compromise.
Jun 29, 2026
Critical Remote Code Execution Vulnerability in WatchGuard Fireware OS VPN (CVE-2025-9242)
A critical security vulnerability, tracked as CVE-2025-9242, was discovered in WatchGuard Fireware OS, which powers WatchGuard’s Firebox network security appliances. This flaw is an out-of-bounds write vulnerability in the iked process, specifically within the function 'ike2_ProcessPayload_CERT' in the file 'src/ike/iked/v2/ike2_payload_cert.c'. The vulnerability arises due to a missing length check on the identification buffer, allowing a remote, unauthenticated attacker to trigger a stack-based buffer overflow. Exploitation of this flaw enables arbitrary code execution during the IKE_SA_AUTH phase of the IKEv2 handshake, which is used to establish VPN tunnels. The vulnerability affects both mobile user VPNs and branch office VPNs configured with dynamic gateway peers, making it a significant risk for organizations relying on these features. Fireware OS versions 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3, and 2025.1 are impacted, with fixes released in 2025.1.1, 12.11.4, 12.3.1_Update3 (FIPS-certified), and 12.5.13 for specific models. The 11.x branch has reached end-of-life and is no longer supported. Security researchers, including McCaulay Hudson of watchTowr Labs, highlighted that the vulnerability is particularly attractive to ransomware groups due to its remote, unauthenticated nature and the fact that it targets internet-exposed perimeter appliances. WatchGuard’s Fireware OS is widely deployed, protecting over 250,000 small and midsize enterprises and more than 10 million endpoints globally, amplifying the potential impact of this vulnerability. The flaw was disclosed and patched following responsible disclosure, with WatchGuard issuing an advisory and urging customers to update affected devices immediately. The vulnerability underscores the ongoing risk posed by classic buffer overflow issues, even in modern enterprise-grade security appliances. Researchers were able to reproduce the exploit, demonstrating the ease with which attackers could compromise vulnerable systems. The lack of mainstream exploit mitigations in the affected code path further increases the risk of successful exploitation. Organizations using WatchGuard Fireware OS are advised to review their VPN configurations, apply the latest patches, and consider additional monitoring for signs of exploitation. The incident highlights the importance of timely patch management and the persistent threat posed by memory safety vulnerabilities in critical infrastructure.
Jun 29, 2026
Critical Remote Code Execution Vulnerability in WatchGuard Fireware OS VPN
A critical vulnerability, tracked as CVE-2025-9242, has been discovered in WatchGuard's Fireware OS, affecting a wide range of Firebox network security appliances. This flaw is an out-of-bounds write in the 'iked' process, which is responsible for handling IKEv2 VPN negotiations. The vulnerability allows remote attackers to execute arbitrary code on affected devices without authentication, posing a severe risk to organizations relying on these appliances for network security. The issue specifically impacts devices configured with mobile user VPNs or branch office VPNs using IKEv2 with dynamic gateway peers. Security researchers have demonstrated that attackers can exploit this bug by sending specially crafted IKEv2 packets during the IKE_SA_AUTH phase, triggering a buffer overflow in the ike2_ProcessPayload_CERT function. Once exploited, attackers can gain control of the instruction pointer, establish Python interactive shells over TCP, and escalate to a full Linux shell by remounting filesystems and deploying BusyBox binaries. The vulnerability has been assigned a CVSS score of 9.3, underscoring its critical nature. According to scans by The Shadowserver Foundation, nearly 76,000 Firebox appliances remain exposed and vulnerable on the public internet, with the highest concentrations in the United States, Germany, Italy, the United Kingdom, Canada, and France. Affected Fireware OS versions include 11.10.2 through 11.12.4_Update1, the entire 12.0 series up to 12.11.3, and the 2025.1 release, impacting both older and newer Firebox models. WatchGuard has released patches in versions 12.3.1_Update3, 12.5.13, 12.11.4, and 2025.1.1 to address the vulnerability. Devices running version 11.x are no longer supported and will not receive security updates, prompting the vendor to recommend upgrading to a supported version. For appliances configured only with Branch Office VPNs to static gateway peers, WatchGuard has provided documentation for securing connections as a temporary workaround. The vulnerability transforms trusted security appliances into potential entry points for attackers, threatening the integrity of network defenses. Organizations are urged to assess their Firebox deployments, prioritize patching, and review VPN configurations to mitigate the risk. The widespread exposure of vulnerable devices highlights the urgency of remediation efforts. WatchGuard's disclosure and the subsequent public scanning have brought significant attention to the issue, emphasizing the importance of timely patch management in network security infrastructure. Failure to address this vulnerability could result in unauthorized access, lateral movement, and compromise of sensitive internal networks. The incident serves as a stark reminder of the risks posed by critical flaws in security appliances and the need for continuous monitoring and rapid response.
Jun 29, 2026