⚠ Actively exploited

Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2020-8243 — Code Injection in Ivanti Connect Secure

CWE-94 — Code Injection16 documents10 sources

Severity

7.2HIGHNVD

EPSS

13.2%

top 5.84%

CISA KEV

KEV

Added 2021-11-03

Due 2022-05-03

Exploit

Exploited in wild

Active exploitation observed

Affected products

Ivanti Connect Secure Ivanti Policy Secure

Timeline

PublishedSep 30

KEV addedNov 3

KEV dueMay 3

Latest updateJan 8

CISA Required Action: Apply updates per vendor instructions.

Description

A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload custom template to perform an arbitrary code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDivanti/connect_secure9.0+1

▶NVDivanti/policy_secure9.0+1

🔴Vulnerability Details

GHSA

GHSA-87wj-wph2-98g5: A vulnerability in the Pulse Connect Secure < 9↗2022-05-24

▶

CVEList

CVE-2020-8243: A vulnerability in the Pulse Connect Secure < 9↗2020-09-29

▶

VulnCheck

Ivanti Pulse Connect Secure Code Execution Vulnerability↗2020

▶

📋Vendor Advisories

Ivanti

Ivanti Pulse Connect Secure Code Execution Vulnerability↗2021-11-03

▶

CISA

Ivanti Pulse Connect Secure Code Execution Vulnerability↗2021-11-03

▶

🕵️Threat Intelligence

Tenable

CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild↗2025-01-08

▶

Tenable

CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways↗2024-01-10

▶

Qualys

Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys↗2022-02-23

▶

Qualys

Qualys Response to CISA Alert: Binding Operational Directive 22-01↗2021-11-09

▶

Qualys

Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys↗2021-11-09

▶