Amazon Web Services (AWS) has released a security patch addressing a high-severity local privilege escalation vulnerability (CVE-2025-8069) in its Windows-based Client VPN software. The flaw, rated CVSS 7.8, allows non-administrative users to execute code with elevated privileges during the installation process, posing a serious security risk for shared or enterprise-managed devices.

The vulnerability stems from the way AWS Client VPN for Windows handles OpenSSL configuration during installation. Specifically, the installer references a hardcoded directory path:

“During the AWS Client VPN client installation on Windows devices, the install process references the C:\usr\local\windows-x86_64-openssl-localbuild\ssl directory location to fetch the OpenSSL configuration file.”

This path is writable by low-privileged users. If a malicious user places a crafted configuration file in this directory and a system administrator later installs the VPN client, the malicious code embedded within the configuration file could be executed with SYSTEM-level privileges. This would effectively grant full control of the device to the attacker.

The vulnerability affects only Windows versions of AWS Client VPN. Mac and Linux versions remain unaffected.

The impacted versions are:

• 4.1.0
• 5.0.0
• 5.0.1
• 5.0.2
• 5.1.0
• 5.2.0
• 5.2.1

AWS has fixed the issue in version 5.2.2 by ensuring the installation process no longer references the insecure directory path, thereby closing the privilege escalation loophole.

System administrators are urged to upgrade all installations to version 5.2.2 or higher immediately. Additionally, any installation packages based on older versions should be deprecated and removed from internal software catalogs to prevent accidental deployment of vulnerable installers.

This proactive update is essential to safeguard Windows systems from local attacks exploiting configuration file manipulation during software installation.