Amazon Web Services (AWS) has released an important bulletin warning users of a critical local privilege escalation in the AWS Client VPN application for macOS. The , tracked as CVE-2025-11462 and rated 9.3 (Critical) under the CVSS v4 scoring system, could allow non-administrative macOS users to gain root-level privileges on their devices through a symlink manipulation attack during log rotation.
AWS Client VPN is a managed client-based VPN service that enables secure access to AWS and on-premises resources. The AWS Client VPN client software runs on end-user devices, supporting Windows, macOS, and Linux and provides the ability for end users to establish a secure tunnel to the AWS Client VPN Service.
While the service itself remains secure, the lies in the macOS client-side implementation, where improper validation of log destination paths could be exploited to elevate privileges.
The issue, Amazon explained, stems from insufficient validation during log rotation within the macOS version of the client. Specifically, the client failed to verify that the log file path pointed to a legitimate directory. This oversight allowed an attacker with local access to create a symbolic link (symlink) from a log file to a privileged system location such as /etc/crontab.
AWS stated, “The macOS version of the AWS VPN Client lacked proper validation checks on the log destination directory during log rotation. This allowed a non-administrator user to create a symlink from a client log file to a privileged location (e.g., Crontab).”
Once the symlink was in place, the attacker could exploit the logging process itself by injecting malicious input into the application’s internal API. When the log rotated, these injected inputs would be written into the privileged file, enabling arbitrary code execution with root privileges.
“Triggering an internal API with arbitrary inputs would then write these inputs to the privileged location on log rotation, allowing execution with root privileges,” AWS confirmed.
This represents a classic time-of-check-to-time-of-use (TOCTOU) in file handling, where the client trusts a file path that an attacker can manipulate between the check and the write operations.
The vulnerability affects AWS Client VPN macOS versions 1.3.2 through 5.2.0. Fortunately, the flaw does not impact the Windows or Linux versions of the client, nor the cloud-side AWS Client VPN service itself.
AWS has patched the issue in version 5.2.1 of the Client VPN for macOS, released earlier this month. Customers running affected versions should update immediately.
