Introduction
Attackers with local access to a macOS system running AWS Client VPN can escalate privileges to root by exploiting a log rotation flaw. In enterprise environments where multiple users share devices or where remote access is common, this vulnerability could allow a non-admin user to gain full system control if left unpatched.
About AWS Client VPN: Amazon Web Services (AWS) is the world’s leading cloud service provider, serving millions of customers globally. AWS Client VPN is a managed VPN solution that enables secure remote access to AWS and on-premises networks. Its widespread adoption across industries makes vulnerabilities in this product especially impactful.
Technical Information
CVE-2025-11462 is a local privilege escalation vulnerability in AWS Client VPN for macOS, specifically affecting versions 1.3.2 through 5.2.0. The root cause is improper validation of log file paths during the log rotation process. The client fails to check if the log file is a symbolic link before writing to it.
Attack Flow:
- A non-admin user creates a symbolic link from a VPN client log file to a privileged location, such as
/etc/crontab. - The attacker makes crafted API calls to the VPN client, injecting arbitrary code or cron job entries into the log output.
- When the VPN client rotates its logs, it writes the log contents (including the injected code) to the symlinked privileged location.
- If the target is a file like
/etc/crontab, the injected code is executed as root on the next cron run, granting the attacker root privileges.
This vulnerability is classified as CWE-59 (Improper Link Resolution Before File Access). The attack leverages the fact that the VPN client operates with elevated privileges and does not adequately verify the destination of log writes during rotation.
Patch Information
To address the local privilege escalation vulnerability identified as CVE-2025-11462 in the AWS Client VPN macOS client, AWS has released version 5.2.1. This update introduces enhanced validation checks on the log destination directory during log rotation, effectively mitigating the risk associated with symbolic link manipulation.
In the vulnerable versions (1.3.2 through 5.2.0), the client did not adequately verify the log file paths, allowing non-administrator users to create symbolic links from client log files to privileged locations. This could be exploited to execute arbitrary commands with root privileges during log rotation.
The patch in version 5.2.1 implements strict validation to ensure that log files are written only to authorized directories, preventing unauthorized users from redirecting log outputs to sensitive system files.
Users are strongly encouraged to upgrade to AWS Client VPN Client version 5.2.1 to secure their systems against this vulnerability.
Patch source: AWS Security Bulletin
Affected Systems and Versions
- Product: AWS Client VPN for macOS
- Affected versions: 1.3.2 through 5.2.0 (inclusive)
- Only macOS client versions are affected. Other operating systems are not impacted by this vulnerability.
Vendor Security History
AWS Client VPN has had several recent privilege escalation vulnerabilities:
- CVE-2024-30165 (macOS): Allowed local attackers to uninstall the VPN client and exploit launchd persistence for privilege escalation.
- CVE-2025-8069 (Windows): Allowed non-admin users to place malicious OpenSSL config files for code execution during installation by an admin.
AWS typically responds quickly with patches, but the recurrence of privilege escalation issues in the Client VPN product line highlights ongoing challenges in secure file handling and privilege boundary enforcement.
