⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-05-03.

CVE-2021-22893Improper Authentication in Pulse Connect Secure

CWE-287Improper AuthenticationCWE-416Use After Free12 documents9 sources
Severity
10.0CRITICALNVD
EPSS
93.6%
top 0.16%
CISA KEV
KEVRansomware
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Pulsesecure Pulse Connect SecureIvanti Connect Secure
Timeline
PublishedApr 23
KEV addedNov 3
KEV dueMay 3
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages2 packages

CVEListV5pulsesecure/pulse_connect_securePCS 9.0R3 or above, PCS 9.1R1 and above
NVDivanti/connect_secure9.0, 9.1+1

🔴Vulnerability Details

3
GHSA
GHSA-hcxw-prp6-q3jq: Pulse Connect Secure 92022-05-24
CVEList
CVE-2021-22893: Pulse Connect Secure 92021-04-23
VulnCheck
Ivanti Pulse Connect Secure Use-After-Free Vulnerability2021

🔍Detection Rules

3
Suricata
ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M22021-05-05
Suricata
ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M32021-05-05
Suricata
ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M12021-05-05

📋Vendor Advisories

2
Ivanti
Pulse Connect Secure RCE (exploited by APT)2021-11-03
CISA
Ivanti Pulse Connect Secure Use-After-Free Vulnerability2021-11-03

🕵️Threat Intelligence

2
Talos
Threat Advisory: Pulse Secure Connect Coverage2021-04-22
Talos
Threat Advisory: Pulse Secure Connect Coverage2021-04-22
CVE-2021-22893 — Improper Authentication | cvebase