Initial Publication Date: 2022/04/12 15:30 PST
AWS is aware of the issues described in CVE-2022-25165 and CVE-2022-25166 relating to the AWS-provided Desktop VPN Client for Windows. These issues affect only client versions 2.0.0 and below; they have been addressed in version 3.0.0 and above. Note that these issues require existing code execution privileges and file access on the system running Desktop VPN Client for Windows. We recommend that customers upgrade to the latest version immediately to help ensure defense in depth.
The latest version of the AWS Client VPN software is available for download at https://aws.amazon.com/vpn/client-vpn-download.
We would like to thank Rhino Security Labs for reporting these issues.
Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.