cbcvebase.
CVE-2019-11510
published 2019-05-08

CVE-2019-11510: In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a…

PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
100.00%
100.0th percentile
In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .

Affected

4 ranges
VendorProductVersion rangeFixed in
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivantipulse_connect_secure

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2019-11510 exploitation involves sending a specially crafted URI to achieve unauthenticated arbitrary file disclosure on Pulse Connect Secure; monitor for path traversal patterns in HTTP requests targeting PCS appliances.
  • Exploitation of CVE-2019-11510 can expose private keys and credentials; post-exploitation activity may include credential harvesting and use of stolen VPN credentials for initial access.
  • CVE-2019-11510 has been exploited to install REvil (Sodinokibi) ransomware; detections of post-exploitation ransomware activity should be correlated with Pulse Secure VPN compromise.
  • APT29 (SVR) has actively exploited CVE-2019-11510 for initial access; correlate Pulse Secure VPN exploitation with subsequent lateral movement and credential theft TTPs associated with APT29.
  • SSL decryption must be enabled on network security devices to detect exploitation of CVE-2019-11510, as the vulnerability is exploited over SSL.
  • Iranian threat actors (Fox Kitten campaign) also exploited CVE-2019-11510 in a multi-year campaign targeting IT, telecom, oil and gas, aviation, government, and security sectors; broaden threat actor attribution scope when investigating exploitation.
  • Check Point IPS provides detection coverage for CVE-2019-11510 under the signature 'Pulse Connect Secure File Disclosure (CVE-2019-11510)'.
  • ·Despite an official patch being available since disclosure, widespread exploitation of unpatched servers continued well into 2020 and 2021; patch status of Pulse Secure VPN appliances must be verified before assuming protection.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv3.09.9CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.