CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2025-11462 AWS ClientVPN macOS Client Local Privilege Escalation

unknownCVE-2025-11462
Bulletin ID: AWS-2025-020 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/10/07 01:30 PM PDT Description: AWS Client VPN is a managed client-based VPN service that enables secure access to AWS and on-premises resources. The AWS Client VPN client software runs on end-user devices, supporting Windows, macOS, and Linux and provides the ability for end users to establish a secure tunnel to the AWS Client VPN Service. We have identified CVE-2025-11462, an issue in AWS Client VPN. The macOS version of the AWS VPN Client lacked proper validation checks on the log destination directory during log rotation. This allowed a non-administrator user to create a symlink from a client log file to a privileged location (e.g., Crontab). Triggering an internal API with arbitrary inputs would then write these inputs to the privileged location on log rotation, allowing execution with root privileges. This issue does not affect Windows or Linux devices. Affected versions: AWS Client VPN Client versions 1.3.2 through 5.2.0

CSIRTS triage

What
Lack of validation checks on log destination directory allows symlink creation.
Who is affected
Users of the macOS version of AWS Client VPN.
Urgency
Remediation is important as it could lead to privilege escalation.
Action
Update the AWS Client VPN macOS client installation process.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch AWS Client VPN

Get an email when a new AWS Client VPN advisory drops — max one per day, one-click unsubscribe.

Details

Source
AWS Security Bulletins (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-06-05
Exploitation
Not in CISA KEV at last sync

Original advisory: https://aws.amazon.com/security/security-bulletins/rss/aws-2025-020/

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2025-11462coverage & exploitation statusNVD · CVE.org

More from AWS Security Bulletins