Cisco warns admins to patch AnyConnect flaws exploited in attacks>
Bleeping Computer – Sergiu Gatlan
Cisco warned customers today that two security vulnerabilities in the Cisco AnyConnect Secure Mobility Client for Windows are being exploited in the wild.

The two security flaws (tracked as CVE-2020-3433 and CVE-2020-3153) enable local attackers to perform DLL hijacking attacks and copy files to system directories with system-level privileges.

Luckily, both vulnerabilities require authentication, with the attackers being required to have valid credentials on the system. However, they could be chained with Windows privilege escalation flaws, especially since proof-of-concept exploits are already available online for both CVEs [1, 2].
Link: https://www.bleepingcomputer.com/news/security/cisco-warns-admins-to-patch-anyconnect-flaws-exploited-in-attacks/