Buffer overflows in the Cisco VPN 5000 Client before 5.2.7 for Linux, and VPN 5000 Client before 5.2.8 for Solaris, allow local users to gain root privileges via (1) close_tunnel and (2) open_tunnel.
http://www.iss.net/security_center/static/10131.php
http://www.cisco.com/warp/public/707/vpn5k-client-multiple-vuln-pub.shtml