CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
99.9%
Unpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix an arbitrary file reading vulnerability, known as CVE-2019-11510, can become compromised in an attack. [1]
Although Pulse Secure [2] disclosed the vulnerability and provided software patches for the various affected products in April 2019, the Cybersecurity and Infrastructure Security Agency (CISA) continues to observe wide exploitation of CVE-2019-11510. [[3]](<https://www.kb.cert.org/vuls/id/927237/ >) [[4]](<https://www.us-cert.gov/ncas/current-activity/2019/07/26/vulnerabilities-multiple-vpn-applications >) [5]
CISA expects to see continued attacks exploiting unpatched Pulse Secure VPN environments and strongly urges users and administrators to upgrade to the corresponding fixes. [6]
A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.
Affected versions:
This vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates.
CISA strongly urges users and administrators to upgrade to the corresponding fixes. [7]
[2] Pulse Secure Advisory SA44101
[3] CERT/CC Vulnerability Note VU#927237
[4] CISA Current Activity Vulnerabilities in Multiple VPN Applications
[5] CISA Current Activity Multiple Vulnerabilities in Pulse Secure VPN
[6] Pulse Secure Advisory SA44101
[7] Pulse Secure Advisory SA44101
January 10, 2020: Initial Version|April 15, 2020: Revised to correct type of vulnerability
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-010a
kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
nvd.nist.gov/vuln/detail/CVE-2019-11510
nvd.nist.gov/vuln/detail/CVE-2019-11510
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Continued%20Exploitation%20of%20Pulse%20Secure%20VPN%20Vulnerability+https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-010a
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-010a&title=Continued%20Exploitation%20of%20Pulse%20Secure%20VPN%20Vulnerability
www.instagram.com/cisagov
www.kb.cert.org/vuls/id/927237/
www.kb.cert.org/vuls/id/927237/
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-010a
www.oig.dhs.gov/
www.us-cert.gov/ncas/current-activity/2019/07/26/vulnerabilities-multiple-vpn-applications
www.us-cert.gov/ncas/current-activity/2019/07/26/vulnerabilities-multiple-vpn-applications
www.us-cert.gov/ncas/current-activity/2019/10/16/multiple-vulnerabilities-pulse-secure-vpn
www.us-cert.gov/ncas/current-activity/2019/10/16/multiple-vulnerabilities-pulse-secure-vpn
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Continued%20Exploitation%20of%20Pulse%20Secure%20VPN%20Vulnerability&body=www.cisa.gov/news-events/cybersecurity-advisories/aa20-010a
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
99.9%