cbcvebase.
CVE-2020-8243
published 2020-09-30

CVE-2020-8243: A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload custom template to perform an…

PriorityP187high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
90.76%
99.8th percentile
A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload custom template to perform an arbitrary code execution.

Affected

4 ranges
VendorProductVersion rangeFixed in
ivanticonnect_secure<= 9.0
ivanticonnect_secure
ivantipolicy_secure<= 9.0
ivantipolicy_secure

Detection & IOCsextracted from sources · hover to see the quote

snort
51288, 51289, 51390, 57452-57459, 57461-57468
  • CVE-2020-8243 is exploited via the Pulse Connect Secure admin web interface by uploading a malicious custom template; monitor admin interface file upload activity for unexpected template uploads.
  • Enable SSL/TLS decryption in Cisco Secure Firewall and Snort to detect exploitation attempts, as these vulnerabilities exploit applications leveraging SSL.
  • CVE-2020-8243 has been observed exploited in the wild alongside CVE-2019-11510 and CVE-2020-8260 in campaigns targeting government agencies, critical infrastructure, and private sector organizations dating back to at least June 2020.
  • ·Snort rules listed cover the broader Pulse Connect Secure vulnerability cluster (CVE-2019-11510, CVE-2020-8243, CVE-2020-8260, CVE-2021-22893) and are not exclusively scoped to CVE-2020-8243; rule-to-CVE mapping should be verified via Firepower Management Center or Snort.org.
  • ·Exploitation of CVE-2020-8243 requires prior authentication to the admin web interface; detections should be scoped to authenticated admin sessions to reduce false positives.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.