What is CVE-2025-11462?

CVE-2025-11462 is a critical security vulnerability in the macOS version of AWS Client VPN software with a CVSS score of 9.3. It could allow local attackers with limited system access to escalate privileges and execute arbitrary code with root-level permissions.

Which platforms are affected by CVE-2025-11462?

Only the macOS version of AWS Client VPN is affected by this vulnerability. Windows and Linux versions of the software are not affected.

Which versions of AWS Client VPN for macOS are vulnerable?

AWS Client VPN Client versions 1.3.2 through 5.2.0 for macOS are affected by the CVE-2025-11462 vulnerability.

Which versions of AWS Client VPN are not affected?

AWS Client VPN Client version 5.2.1 and later for macOS are not affected. Additionally, all Windows versions and all Linux versions of AWS Client VPN Client are not affected by this vulnerability.

When was the AWS Client VPN vulnerability disclosed?

AWS released Security Bulletin AWS-2025-020 on October 7, 2025, detailing the vulnerability and providing remediation guidance for affected users.

What should macOS users do to fix CVE-2025-11462?

Organizations using AWS Client VPN on macOS devices should upgrade to version 5.2.1 or the latest available version as soon as possible. AWS has patched the vulnerability in Client VPN Client version 5.2.1.

What is the severity rating of CVE-2025-11462?

CVE-2025-11462 has been assigned a CVSS score of 9.3, which classifies it as a critical severity vulnerability.

Advisory

Critical privilege escalation vulnerability reported in AWS Client VPN for macOS

Q: What causes the CVE-2025-11462 vulnerability?

The vulnerability is caused by insufficient validation checks during the client's log rotation process. The macOS version lacks proper validation checks on the log destination directory during log rotation, allowing a non-administrator user to create a symbolic link from the client's log file to a privileged system location.

Q: How can CVE-2025-11462 be exploited?

An attacker can create a symbolic link (symlink) from the client's log file to a privileged system location, such as the crontab file located at /etc/crontab. By redirecting log output to the system's crontab file, the attacker can inject cron job entries that will be executed automatically by the cron scheduler with root-level permissions, gaining full administrative control over the compromised macOS device.

published: Oct. 8, 2025

Take action: If you're using AWS Client VPN on macOS, check your version and upgrade to version 5.2.1 or later as soon as possible. The exploit requires access to the computer, but even that can be achieved with some malware through phishing or "free" apps.

Learn More

Amazon Web Services is reporting a critical security vulnerability in the macOS version of its Client VPN software that could allow local attackers with limited system access to escalate privileges and execute arbitrary code with root-level permissions.

AWS Client VPN is a managed, client-based VPN service that enables secure remote access to AWS and on-premises resources across Windows, macOS, and Linux platforms.

The flaw is tracked as CVE-2025-11462, (CVSS score 9.3) and is caused by insufficient validation checks during the client's log rotation process. The macOS version of the AWS VPN Client lacks proper validation checks on the log destination directory during log rotation. This allows a non-administrator user with local access to the system to create a symbolic link (symlink) from the client's log file to a privileged system location, such as the crontab file located at /etc/crontab, which is used by the Unix cron daemon to schedule automated tasks with root privileges.

The macOS implementation of the AWS Client VPN client and does not affect Windows or Linux versions of the software. AWS released Security Bulletin AWS-2025-020 on October 7, 2025, detailing the flaw and providing remediation guidance for affected users. The vulnerability arises from a fundamental weakness in how the macOS client handles log file management during routine log rotation operations, which occur automatically as part of normal application maintenance procedures.

By redirecting log output to the system's crontab file, the attacker can inject cron job entries that will be executed automatically by the cron scheduler with root-level permissions. This allows the attacker to execute arbitrary commands with complete system privileges, effectively gaining full administrative control over the compromised macOS device.

Affected versions are AWS Client VPN Client versions 1.3.2 through 5.2.0 (macOS only)

Versions not affected:

AWS Client VPN Client version 5.2.1 and later (macOS)
All Windows versions of AWS Client VPN Client
All Linux versions of AWS Client VPN Client

AWS has patched the vulnerability in Client VPN Client version 5.2.1. Organizations using AWS Client VPN on macOS devices should upgrade to version 5.2.1 or the latest available version ASAP.

Critical privilege escalation vulnerability reported in AWS Client VPN for macOS

Read More
Critical Gogs Vulnerability Enables Silent Supply-Chain Attacks via …
Caining Commvault vulnerabilities enables pre-authentication remote code execution
ForceMemo: Hundreds of GitHub Python Repos Compromised via …
Oracle releases emergency patch for E-Business Suite as …
Active Exploitation reported of SolarWinds Serv-U