In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HIvanti Connect Secure
APPIvanti8.28.39.0
CISA KEV — detailsi
- Vendori
- Ivanti ↗
- Producti
- Pulse Connect Secure
- Added to KEVi
- November 3, 2021
- Remediation deadline (US Federal)i
- May 3, 2022(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply updates per vendor instructions.
Ivanti Pulse Connect Secure contains an arbitrary file read vulnerability that allows an unauthenticated remote attacker with network access via HTTPS to send a specially crafted URI.
Related vulnerabilities
Stack-based buffer overflow w Ivanti Connect Secure, Policy Secure i ZTA Gateways umożliwiający RCE
Stack-based buffer overflow RCE w Ivanti Connect Secure, Policy Secure i Neurons for ZTA
Command injection w Ivanti Connect Secure i Policy Secure — RCE jako administrator
Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by...
Code injection w Ivanti Connect Secure i Policy Secure — RCE