Published: 26/04/2019 Updated: 09/08/2019
CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8
CVSS v3 Base Score: 7.2 | Impact Score: 5.9 | Exploitability Score: 1.2
VMScore: 701
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Vulnerability Summary

In Pulse Secure Pulse Connect Secure version 9.0RX prior to 9.0R3.4, 8.3RX prior to 8.3R7.1, 8.2RX prior to 8.2R12.1, and 8.1RX prior to 8.1R15.1 and Pulse Policy Secure version 9.0RX prior to 9.0R3.2, 5.4RX prior to 5.4R7.1, 5.3RX prior to 5.3R12.1, 5.2RX prior to 5.2R12.1, and 5.1RX prior to 5.1R15.1, the admin web interface allows an authenticated malicious user to inject and execute commands.

Vulnerability Trend

Affected Products

Vendor Product Versions
PulsesecurePulse Connect Secure8.1r1.0, 8.1r1.1, 8.1r2.0, 8.1r2.1, 8.1r3.0, 8.1r3.1, 8.1r3.2, 8.1r4.0, 8.1r4.1, 8.1r5.0, 8.1r6.0, 8.1r7.0, 8.1r8.0, 8.1r9.0, 8.1r9.1, 8.1r9.2, 8.1r10.0, 8.1r11.0, 8.1r11.1, 8.1r12.0, 8.1r12.1, 8.1r13.0, 8.1r14.0, 8.2r1.0, 8.2r1.1, 8.2r2.0, 8.2r3.0, 8.2r3.1, 8.2r4.0, 8.2r4.1, 8.2r5.0, 8.2r5.1, 8.2r6.0, 8.2r7.0, 8.2r7.1, 8.2r7.2, 8.2r8.0, 8.2r8.1, 8.2r8.2, 8.2r9.0, 8.2r10.0, 8.2r11.0, 8.2r12.0, 8.2rx, 8.3r1, 8.3r2, 8.3r2.1, 8.3r3, 8.3r4, 8.3r5, 8.3r5.1, 8.3r5.2, 8.3r6, 8.3r6.1, 8.3r7, 8.3rx, 9.0r1, 9.0r2, 9.0r2.1, 9.0r3, 9.0r3.1, 9.0r3.2, 9.0rx
PulsesecurePulse Policy Secure5.1r1.0, 5.1r1.1, 5.1r2.0, 5.1r2.1, 5.1r3.0, 5.1r3.2, 5.1r4.0, 5.1r5.0, 5.1r6.0, 5.1r7.0, 5.1r8.0, 5.1r9.0, 5.1r9.1, 5.1r10.0, 5.1r11.0, 5.1r11.1, 5.1r12.0, 5.1r12.1, 5.1r13.0, 5.1r14.0, 5.2r1.0, 5.2r2.0, 5.2r3.0, 5.2r3.2, 5.2r4.0, 5.2r5.0, 5.2r6.0, 5.2r7.0, 5.2r7.1, 5.2r8.0, 5.2r9.0, 5.2r9.1, 5.2r10.0, 5.2r11.0, 5.2rx, 5.3r1.0, 5.3r1.1, 5.3r2.0, 5.3r3.0, 5.3r3.1, 5.3r4.0, 5.3r4.1, 5.3r5.0, 5.3r5.1, 5.3r5.2, 5.3r6.0, 5.3r7.0, 5.3r8.0, 5.3r8.1, 5.3r8.2, 5.3r9.0, 5.3r10., 5.3r11.0, 5.3r12.0, 5.3rx, 5.4r1, 5.4r2, 5.4r2.1, 5.4r3, 5.4r4, 5.4r5, 5.4r5.2, 5.4r6, 5.4r6.1, 5.4r7, 5.4rx, 9.0r1, 9.0r2, 9.0r2.1, 9.0r3, 9.0r3.1, 9.0rx


## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, ...
#!/usr/bin/python # # Exploit Title: Pulse Secure Post-Auth Remote Code Execution # Google Dork: inurl:/dana-na/ filetype:cgi # Date: 09/05/2019 # Exploit Author: Justin Wagner (0xDezzy), Alyssa Herrera (@Alyssa_Herrera_) # Vendor Homepage: pulsesecurenet # Version: 81R151, 82 before 82R121, 83 before 83R71, and 90 before 90R34 ...

Mailing Lists

Pulse Secure versions 81R151, 82, 83, and 90 SSL VPN remote code execution exploit ...

Metasploit Modules

Pulse Secure VPN Arbitrary Command Execution

This module exploits a post-auth command injection in the Pulse Secure VPN server to execute commands as root. The env(1) command is used to bypass application whitelisting and run arbitrary commands. Please see related module auxiliary/gather/pulse_secure_file_disclosure for a pre-auth file read that is able to obtain plaintext and hashed credentials, plus session IDs that may be used with this exploit. A valid administrator session ID is required in lieu of untested SSRF.

msf > use exploit/linux/http/pulse_secure_cmd_exec
msf exploit(pulse_secure_cmd_exec) > show targets
msf exploit(pulse_secure_cmd_exec) > set TARGET < target-id >
msf exploit(pulse_secure_cmd_exec) > show options
    ...show and set options...
msf exploit(pulse_secure_cmd_exec) > exploit

Recent Articles

Sodinokibi Ransomware Behind Travelex Fiasco: Report
Threatpost • Tara Seals • 07 Jan 2020

The Sodinokibi ransomware strain is apparently behind the New Year’s Eve attack on foreign currency-exchange giant Travelex, which has left its customers and banking partners stranded without its services.
The criminals behind the attack are demanding a six-figure sum in return for the decryption key, according to reports, and are directing the company to a payment website hosted in Colorado.
“It is just business. We absolutely do not care about you or your details, except gettin...

APT Groups Exploiting Flaws in Unpatched VPNs, Officials Warn
Threatpost • Elizabeth Montalbano • 08 Oct 2019

State-sponsored advanced persistent threat (APT) groups are using flaws in outdated VPN technologies from Palo Alto Networks, Fortinet and Pulse Secure to carry out cyber attacks on targets in the United States and overseas, warned U.S. and U.K. officials.
The National Security Agency (NSA) issued a Cybersecurity Advisory Monday about the threats and offered mitigation suggestions, warning that multiple APT actors have weaponized three critical vulnerabilities first published in August–C...