CVE-2017-3813 Cisco CVE debrief

Who should care

Windows endpoint and VPN administrators using Cisco AnyConnect Secure Mobility Client, especially environments that deploy the Start Before Logon module or allow local user access on managed hosts.

Technical summary

Cisco and NVD describe an access-control weakness in the AnyConnect SBL module on Windows. The issue can allow a local attacker to launch Internet Explorer with SYSTEM privileges; Cisco says exploitation may permit privileged command execution. The supplied records identify Cisco AnyConnect Secure Mobility Client versions before 4.4.00243 and 4.3.05017 as affected, with remediation available in the vendor-fixed releases.

Defensive priority

High for affected Windows endpoints, because the flaw can elevate local activity to SYSTEM on hosts running vulnerable Cisco AnyConnect clients.

Recommended defensive actions

• Upgrade Cisco AnyConnect Secure Mobility Client to 4.4.00243 or later, or 4.3.05017 or later if remaining on the 4.3 line.
• Inventory Windows systems using AnyConnect and verify the installed client version and Start Before Logon deployment status.
• Prioritize remediation on endpoints where local user access is possible.
• Review Cisco’s advisory for any vendor-specific mitigation or deployment guidance.
• Monitor for unexpected Internet Explorer launches or other SYSTEM-context activity on affected hosts.

Evidence notes

The CVE was published on 2017-02-09, and the supplied NVD record was last modified on 2026-05-13; do not treat the modification date as the vulnerability date. Cisco’s description says the attacker is unauthenticated and local, while the NVD CVSS vector includes PR:L, so privilege requirements should be interpreted carefully and anchored to the vendor advisory.

Official resources