Published: 23/04/2021 Updated: 28/04/2021
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 10 | Impact Score: 6 | Exploitability Score: 3.9
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Pulse Connect Secure RCE Vulnerability. A vulnerability was discovered under Pulse Connect Secure (PCS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment.

Most Upvoted Vulmon Research Post

Pulse Connect Secure remote code execution through authentication bypass. CVSS V3.1 risk score is 10/10. The vulnerability has been exploited in the wild by the threat actor UNC2630. According to Fireeye UNC2630 may have ties with APT5 and the Chinese government. https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

Github Repositories

CVE-2021-22893 Pulse Connect Secure RCE Vulnerability (CVE-2021-22893) Shodan : wwwshodanio/search?query=httpcomponent%3A%22pulse+secure%22

CVE-2021-22893 Proof-of-Concept (PoC) script to exploit Pulse Secure CVE-2021-22893

pulse_connect_secure-splunk-csvs Pulse Connect Securre RCE, Webkit, and related vulnerabilities IOCs (IP addresses, hashes of web shell aspx files, names of aspx files, user-agents) used in exploiting CVE-2021-22893, courtesy FireEye FireEye Blog wwwfireeyecom/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-dayhtml Pul

Cybersecurity Incidents Mind Maps Pulse Secure CVE-2021-22893 Exchange Marauder SOLORIGATE_SUNBURST

Recent Articles

Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques
Symantec Threat Intelligence Blog • Threat Hunter Team • 05 May 2021

Two-factor or multi-factor authentication is used to secure organizations and accounts from attackers, making it a problem for malicious actors. Recent attacks show how they are attempting to bypass or avoid it completely.

Posted: 5 May, 20218 Min ReadThreat Intelligence SubscribeMulti-Factor Authentication: Headache for Cyber Actors Inspires New Attack TechniquesTwo-factor or multi-factor authentication is used to secure organizations and accounts from attackers, making it a problem for malicious actors. Recent attacks show how they are attempting to bypass or avoid it completely.In recent years two-factor or multi-factor authentication (MFA) has been touted as the way to...

Pulse Secure VPNs Get a Fix for Critical Zero-Day Bugs
Threatpost • Tara Seals • 04 May 2021

Pulse Secure has rushed a fix for a critical zero-day security vulnerability in its Connect Secure VPN devices, which has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe.
Pulse Secure also patched three other security bugs, two of them also critical RCE vulnerabilities.
The zero-day flaw, tracked as CVE-2021-22893, was first disclosed on April 20 and carries the highest possible CVSS sever...

Pulse Secure fixes VPN zero-day used to hack high-value targets
BleepingComputer • Lawrence Abrams • 03 May 2021

Pulse Secure has fixed a zero-day vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance that is being actively exploited to compromise the internal networks of defense firms and govt agencies.
Last week, cybersecurity firm FireEye revealed that threat actors actively exploited
, tracked as 
, to deploy malware on Pulse Secure devices to steal credentials and provide backdoor access to compromised networks.
A day later, US Cybersecurity and Infrastructure Secu...

Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Fireeye Threat Research • by Dan Perez, Sarah Jones, Greg Wood, Stephen Eckels • 20 Apr 2021

Executive Summary

Mandiant recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances.
This blog post examines multiple, related techniques for bypassing single and multifactor authentication on Pulse Secure VPN devices, persisting across upgrades, and maintaining access through webshells.
The investigation by Pulse Secure has determined that a combination of prior vulnerabilities and a previously unknown vulnerability discover...

CISA orders federal orgs to mitigate Pulse Secure VPN bug by Friday
BleepingComputer • Sergiu Gatlan • 01 Jan 1970

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new emergency directive ordering federal agencies to mitigate an actively exploited vulnerability in Pulse Connect Secure (PCS) VPN appliances on their networks by Friday.
CISA issued the Emergency Directive (ED) 21-03 Tuesday after Pulse Secure confirmed a FireEye report saying that 
 exploited the bug (tracked as CVE-2021-22893) to breach government and defense organizations in the US and across the glob...

Pulse Secure VPN zero-day used to hack defense firms, govt orgs
BleepingComputer • Sergiu Gatlan • 01 Jan 1970

Pulse Secure has shared mitigation measures for a zero-day authentication bypass vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance actively exploited in attacks against worldwide organizations and focused on US Defense Industrial base (DIB) networks.
To mitigate the vulnerability tracked as 
 (with a maximum 10/10 severity score), Pulse Secure advises customers with gateways running PCS 9.0R3 and higher to upgrade the server software to the 9.1R.11.4 release.

The Register

Dozens of defense companies, government agencies, and financial organizations in America and abroad appear to have been compromised by China via vulnerabilities in their Pulse Connect Secure VPN appliances – including a zero-day flaw that won't be patched until next month.
On Tuesday, IT software supplier Ivanti, the parent of Pulse Secure, issued a wake-up call to its customers by revealing it looks as though select clients were compromised via their encrypted gateways.
"There is ...