⚠ Actively exploited in ransomware campaigns

This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-05-03.

CVE-2019-11539 — OS Command Injection in Ivanti Connect Secure

CWE-78 — OS Command Injection14 documents10 sources

Severity

7.2HIGHNVD

EPSS

93.9%

top 0.12%

CISA KEV

KEVRansomware

Added 2021-11-03

Due 2022-05-03

Exploit

Exploited in wild

Active exploitation observed

Affected products

Ivanti Connect Secure Ivanti Policy Secure Pulsesecure Pulse Policy Secure

Timeline

PublishedApr 26

KEV addedNov 3

KEV dueMay 3

Latest updateJun 18

CISA Required Action: Apply updates per vendor instructions.

Description

In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

▶NVDpulsesecure/pulse_policy_secure66 versions+65

▶NVDivanti/policy_secure9.0

▶NVDivanti/connect_secure4 versions+3

🔴Vulnerability Details

GHSA

GHSA-mchx-p635-vpq8: In Pulse Secure Pulse Connect Secure version 9↗2022-05-24

▶

CVEList

CVE-2019-11539: In Pulse Secure Pulse Connect Secure version 9↗2019-04-26

▶

VulnCheck

Ivanti Pulse Connect Secure and Policy Secure Command Injection Vulnerability↗2019

▶

💥Exploits & PoCs

Exploit-DB

Pulse Secure VPN - Arbitrary Command Execution (Metasploit)↗2019-11-20

▶

Exploit-DB

Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Remote Code Execution↗2019-09-06

▶

🔍Detection Rules

Suricata

ET EXPLOIT Pulse Secure Post-Auth OS Command Injection (CVE-2019-11539)↗2021-09-23

▶

📋Vendor Advisories

Ivanti

Pulse Connect Secure Command Injection (admin)↗2021-11-03

▶

CISA

Ivanti Pulse Connect Secure and Policy Secure Command Injection Vulnerability↗2021-11-03

▶

📄Research Papers

CTF

20191018-hitcon-quals / README↗2019

▶

💬Community

HackerOne

Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://██████ (███)↗2024-06-18

▶

HackerOne

Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://████↗2021-07-29

▶

HackerOne

Command Injection (via CVE-2019-11510 and CVE-2019-11539)↗2020-05-07

▶

HackerOne

Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://███↗2019-12-02

▶