Amazon Web Services has disclosed a critical security vulnerability in its Client VPN software for Windows that could allow attackers to escalate privileges and execute malicious code with administrative rights.
The vulnerability, tracked as CVE-2025-8069, affects multiple versions of the AWS Client VPN client and has been patched in the latest release.
Key Takeaways
1. CVE-2025-8069 enables privilege escalation on AWS Client VPN Windows versions 4.1.0-5.2.1
2. Malicious OpenSSL config files execute with admin rights during installation
3. Upgrade to version 5.2.2 immediately
The flaw specifically targets the installation process on Windows devices, creating a pathway for local privilege escalation attacks that could compromise system security.
Privilege Escalation Flaw
The vulnerability originates from a design flaw in the AWS Client VPN client installation process on Windows systems.
During installation, the software references a specific directory path at C:\usr\local\windows-x86_64-openssl-localbuild\ssl to retrieve the OpenSSL configuration file. This predictable file path creates a security weakness that malicious actors can exploit.
The attack vector allows a non-administrative user to place arbitrary code within the OpenSSL configuration file at the referenced location.
When an administrator subsequently initiates the AWS Client VPN client installation process, the malicious code embedded in the configuration file executes with root-level privileges.
This privilege escalation technique effectively grants attackers the highest level of system access, potentially allowing them to install malware, modify system settings, or access sensitive data.
The vulnerability affects AWS Client VPN versions 4.1.0, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.2.0, and 5.2.1. Importantly, the security flaw is platform-specific and only impacts Windows devices, leaving Linux and macOS installations unaffected.
This limitation suggests the vulnerability is tied to Windows-specific implementation details in the installation process.
The vulnerability was discovered and reported by the Zero Day Initiative through a coordinated vulnerability disclosure process, highlighting the importance of responsible security research in identifying critical flaws.
| Risk Factors | Details |
| Affected Products | AWS Client VPN for Windows versions 4.1.0, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.2.0, 5.2.1 |
| Impact | Local Privilege Escalation |
| Exploit Prerequisites | Non-admin user write access to C:\usr\local\windows-x86_64-openssl-localbuild\ssl; administrator launches the AWS Client VPN installer |
| CVSS 3.1 Score | 7.8 (High) |
Patch Availability
AWS has addressed the security vulnerability in AWS Client VPN Client version 5.2.2, which is now available for download.
The company strongly recommends that organizations immediately discontinue new installations of any AWS Client VPN version prior to 5.2.2 on Windows systems to prevent potential exploitation.
System administrators should prioritize updating to the patched version, particularly in environments where multiple users have access to Windows systems running AWS Client VPN.
The local privilege escalation nature of this vulnerability makes it especially concerning in shared computing environments where untrusted users might have limited access to systems.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Autonomous Endpoint Management Tools in 2025")
