VDB
CVE-2019-11539
CVE-2019-11539
PUBLISHED
KEV
CVSS 8 HIGH
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.
EPSS 93.90% · 99.9th percentile
Risk Scores
CVSS 3.0
8
CVSS:3.0/AC:H/AV:N/A:H/C:H/I:H/PR:H/S:C/UI:N
EPSS Score
93.90%
99.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | * |
| pulsesecure | pulse_policy_secure | 5.3r5.1, 5.1r1.0, 5.1r1.1 |
| ivanti | connect_secure | 8.1, 8.1, 8.1 |
| ivanti | policy_secure | 9.0, 9.0, 9.0 |
Exploit Intelligence
- Exploit for the Post-Auth RCE vulnerability in Pulse Secure Connect (github-poc-repo)
- Exploit for the Post-Auth RCE vulnerability in Pulse Secure Connect (github-poc-repo)
- Exploit for the Post-Auth RCE vulnerability in Pulse Secure Connect (github-poc-repo)
- Exploit for the Post-Auth RCE vulnerability in Pulse Secure Connect (github-poc-repo)
- Exploit for the Post-Auth RCE vulnerability in Pulse Secure Connect (github-poc-repo)
- Exploit for the Post-Auth RCE vulnerability in Pulse Secure Connect (github-poc-repo)
- Exploit for the Post-Auth RCE vulnerability in Pulse Secure Connect (github-poc-repo)
- Exploit for the Post-Auth RCE vulnerability in Pulse Secure Connect (github-poc)
- Exploit for the Post-Auth RCE vulnerability in Pulse Secure Connect (github-poc)
- Exploit for the Post-Auth RCE vulnerability in Pulse Secure Connect (github-poc)
…and 74 more exploits
Timeline
- CVE Published
- Aug 10, 2019 PoC Published
- Sep 6, 2019 PoC Published
- Nov 12, 2019 PoC Published
- Nov 13, 2019 PoC Published
- Nov 20, 2019 PoC Published
- Dec 2, 2019 PoC Published
- May 7, 2020 PoC Published
- Sep 16, 2020 PoC Published
- Feb 25, 2021 PoC Published
- Apr 7, 2021 PoC Published
- Apr 14, 2021 EPSS Score
References
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101 url
- 108073 vdb
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010 url
- https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf url
- http://packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.html url
- https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/ url
- VU#927237 third-party-advisory
- http://packetstormsecurity.com/files/155277/Pulse-Secure-VPN-Arbitrary-Command-Execution.html url
- http://packetstormsecurity.com/files/162092/Pulse-Secure-VPN-Arbitrary-Command-Execution.html url
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11539 url
- https://nvd.nist.gov/vuln/detail/CVE-2019-11539 advisory
- https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study url