CVE-2025-11462 is a critical local privilege escalation vulnerability found in AWS Client VPN for macOS versions 1.3.2 through 5.2.0. The root cause is improper link resolution before file access, classified under CWE-59. Specifically, during log rotation, the software insufficiently validates the log destination directory, allowing a local non-administrator user to create a symbolic link (symlink) from a client log file to an arbitrary privileged location on the filesystem. When the VPN client performs log rotation, it follows this symlink and writes to the privileged location. If the attacker has injected malicious code into the log file via crafted API calls, this code can be executed with root privileges. This vulnerability does not require user interaction or elevated privileges initially, only local access, making it a potent vector for privilege escalation. The vulnerability affects the confidentiality, integrity, and availability of the system because an attacker can gain root-level code execution, potentially compromising the entire system. AWS has addressed this issue in version 5.2.1 of the VPN client for macOS. No public exploits have been reported yet, but the CVSS 4.0 base score of 9.3 (critical) reflects the severity and ease of exploitation once local access is obtained. The vulnerability is particularly relevant to organizations using AWS Client VPN on macOS endpoints, especially in environments where local user accounts are not tightly controlled.

The impact of CVE-2025-11462 is severe for organizations using AWS Client VPN on macOS systems. An attacker with local access but without administrative privileges can escalate to root privileges, enabling full system compromise. This can lead to unauthorized access to sensitive data, installation of persistent malware, disruption of VPN services, and lateral movement within networks. The compromise of VPN client endpoints is particularly dangerous as it can undermine the security of the entire corporate network by exposing VPN credentials or session information. Additionally, root-level access allows attackers to disable security controls, hide their presence, and manipulate system logs, complicating incident response. Organizations relying on AWS Client VPN for secure remote access must consider this vulnerability a critical risk to endpoint security and overall network integrity.

To mitigate CVE-2025-11462, organizations should immediately upgrade all macOS AWS Client VPN installations to version 5.2.1 or later, where the vulnerability is patched. Additionally, implement strict local user account management to limit the number of users with local access and monitor for suspicious symlink creation or unusual file system activity related to VPN client logs. Employ endpoint detection and response (EDR) solutions capable of detecting privilege escalation attempts and anomalous log file modifications. Regularly audit and harden macOS endpoint configurations to reduce the attack surface, including restricting write permissions on directories used by VPN clients. Consider deploying application whitelisting to prevent unauthorized code execution. Finally, educate users about the risks of local account misuse and enforce strong access controls on VPN client machines.