CVE-2025-8069 in AWS Client VPN
Summary
by MITRE • 07/23/2025
During the AWS Client VPN client installation on Windows devices, the install process references the C:\usr\local\windows-x86_64-openssl-localbuild\ssl directory location to fetch the OpenSSL configuration file. As a result, a non-admin user could place arbitrary code in the configuration file. If an admin user starts the AWS Client VPN client installation process, that code could be executed with root-level privileges. This issue does not affect Linux or Mac devices.
We recommend users discontinue any new installations of AWS Client VPN on Windows prior to version 5.2.2.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/23/2025
This vulnerability represents a critical privilege escalation flaw in the AWS Client VPN client installation process on Windows systems. The issue stems from the installer's improper handling of OpenSSL configuration file paths during the installation sequence. Specifically, the installation process attempts to reference a hardcoded directory path at C:\usr\local\windows-x86_64-openssl-localbuild\ssl which contains the OpenSSL configuration file. This design flaw creates a path traversal and code execution opportunity that can be exploited by unprivileged users to gain elevated system privileges.
The technical implementation of this vulnerability involves a classic insecure file handling pattern where the installer does not properly validate or sanitize the configuration file path. When a non-admin user has write access to the specified directory, they can inject malicious code into the OpenSSL configuration file. This configuration file is then loaded and processed by the installer when executed with administrative privileges by an administrator. The vulnerability manifests as a privilege escalation vector because the installer process runs with elevated permissions, allowing the malicious code contained within the configuration file to execute with root-level privileges.
The operational impact of this vulnerability is significant as it allows any local user with access to the target Windows system to potentially execute arbitrary code with system-level privileges. This creates a persistent threat vector that can be exploited to establish backdoors, exfiltrate data, or perform further attacks within the compromised network. The attack requires minimal prerequisites since any user can potentially modify the configuration file, but the exploitation is only effective when an administrator subsequently runs the installer process. This timing aspect makes the vulnerability particularly dangerous as it can be exploited during routine administrative activities.
The vulnerability aligns with CWE-22 Path Traversal and CWE-78 Command Injection categories, representing a classic insecure file handling scenario. From an attack perspective, this vulnerability maps to the privilege escalation techniques documented in the MITRE ATT&CK framework under T1068 Privilege Escalation and T1547 Registry Run Keys. The issue specifically affects Windows operating systems and does not extend to Linux or macOS platforms, suggesting that the vulnerability is specific to the Windows installer implementation rather than a cross-platform OpenSSL issue. Organizations should immediately implement the recommended mitigation by discontinuing new installations of AWS Client VPN on Windows prior to version 5.2.2, which likely includes fixes for the insecure directory handling and path resolution mechanisms.