Updated to add additional version & exploit details. Reps to Crime Dog
Vulnerable Versions: Nortel Contivity VPN Client V05_01.100
Patches/Workarounds: Good question
With the Contivity client open click go into "Group Authentication Options"
Select "Challenge Response Token" options.
Click on the "Software Token Directory" browse button.
Change Files of type: to All Files, navigate to the system32 directory and locate cmd.exe. Right click cmd.exe and choose Open.
The result is a command prompt running under the context of the LocalSystem account.
Discovered by Crime Dog thecrimedog[at]sbcglobal[dot]net