cbcvebase.
CVE-2021-22893
published 2021-04-23

CVE-2021-22893: Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure…

PriorityP198critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
47.17%
98.7th percentile
Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.

Affected

3 ranges
VendorProductVersion rangeFixed in
ivanticonnect_secure
ivanticonnect_secure
ivantipulse_connect_secure

Detection & IOCsextracted from sources · hover to see the quote

snort
51288, 51289, 51390, 57452-57459, 57461-57468
  • CVE-2021-22893 exploits the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure; monitor for unauthenticated requests targeting these specific features on PCS gateways.
  • Enable SSL/TLS decryption in Cisco Secure Firewall and Snort to detect exploitation attempts, as the vulnerable application leverages SSL.
  • Threat actors covering tracks on compromised Pulse/Ivanti appliances by overwriting files, time-stomping files, and re-mounting the runtime partition; look for these anti-forensic behaviors in host-based telemetry.
  • Web shells deployed on compromised Pulse/Ivanti appliances may show no file mismatches in integrity checks; do not rely solely on ICT scan results for compromise detection.
  • ·CVE-2021-22893 affects Pulse Connect Secure 9.0R3/9.1R1 and higher; versions below 9.0R3 are not listed as affected.
  • ·Ivanti's internal and previous external Integrity Checker Tool (ICT) is not sufficient to detect compromise; root-level persistence may survive factory resets.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.