High-severity flaw (CVE-2025-8069) in AWS Client VPN for Windows Allows Privilege Escalation
Ddos 
Amazon Web Services (AWS) has released a security patch for a high-severity local privilege escalation vulnerability (CVE-2025-8069) affecting its Windows-based Client VPN software. The flaw, rated CVSS 7.8, could allow non-administrative users to execute code with elevated privileges during the installation process—posing a serious risk for shared or enterprise-managed devices.
The issue lies in the way AWS Client VPN for Windows handles the OpenSSL configuration during installation. According to AWS, the installer incorrectly references a hardcoded file path:
“During the AWS Client VPN client installation on Windows devices, the install process references the C:\usr\local\windows-x86_64-openssl-localbuild\ssl directory location to fetch the OpenSSL configuration file.”
This path is writable by low-privileged users. If a malicious user places a crafted configuration file in this directory, and a system administrator subsequently installs the VPN client, the malicious code embedded in the config file could be executed with SYSTEM-level privileges—effectively handing full control of the machine to the attacker.
Importantly, this vulnerability only affects Windows systems. Mac and Linux versions of the AWS Client VPN software are not impacted.
The flaw impacts the following versions of the AWS Client VPN for Windows:
- 4.1.0
- 5.0.0
- 5.0.1
- 5.0.2
- 5.1.0
- 5.2.0
- 5.2.1
Amazon has addressed the vulnerability in version 5.2.2 of the Client VPN software. The fix ensures that the installation process no longer references the insecure directory path, closing off the opportunity for privilege escalation via OpenSSL configuration files.
System administrators are encouraged to verify their deployments and upgrade all existing installations to version 5.2.2 or higher. Any installation packages based on older versions should be deprecated and removed from internal software catalogs to prevent inadvertent deployment.
Related Posts:
- Unpatched Epson Devices at Risk: CVE-2024-47295 Allows Easy Hijacking
- New Phishing Campaign Targets AWS Accounts: Security Experts Warn
- CVE-2022-???: critical OpenSSL security vulnerability
- OpenSSL change development strategy: switch to the GitHub issue to discuss the patch
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
