Bulletin ID: AWS-2025-020
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 2025/10/07 01:30 PM PDT

Description:

AWS Client VPN is a managed client-based VPN service that enables secure access to AWS and on-premises resources. The AWS Client VPN client software runs on end-user devices, supporting Windows, macOS, and Linux and provides the ability for end users to establish a secure tunnel to the AWS Client VPN Service.

We have identified CVE-2025-11462, an issue in AWS Client VPN. The macOS version of the AWS VPN Client lacked proper validation checks on the log destination directory during log rotation. This allowed a non-administrator user to create a symlink from a client log file to a privileged location (e.g., Crontab). Triggering an internal API with arbitrary inputs would then write these inputs to the privileged location on log rotation, allowing execution with root privileges. This issue does not affect Windows or Linux devices.

Affected versions: 

AWS Client VPN Client versions 1.3.2 through 5.2.0

Resolution:

This issue has been addressed in AWS Client VPN Client version 5.2.1. We recommend users upgrade to the latest version.

Workarounds:

N/a

References:

• CVE-2025-11462
   

Please email aws-security@amazon.com with any security questions or concerns.