Vulnerability Details : CVE-2019-11539
Public exploit exists!
Used for ransomware!
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.
CVE-2019-11539 is in the CISA Known Exploited Vulnerabilities Catalog
This issue is known to have been leveraged as part of a ransomware campaign.
CISA vulnerability name:
Ivanti Pulse Connect Secure and Policy Secure Command Injection Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Ivanti Pulse Connect Secure and Policy Secure allows an authenticated attacker from the admin web interface to inject and execute commands.
Added on
2021-11-03
Action due date
2022-05-03
Exploit prediction scoring system (EPSS) score for CVE-2019-11539
Probability of exploitation activity in the next 30 days: 97.09%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2019-11539
-
Pulse Secure VPN Arbitrary Command Execution
Disclosure Date: 2019-04-24First seen: 2020-04-26exploit/linux/http/pulse_secure_cmd_execThis module exploits a post-auth command injection in the Pulse Secure VPN server to execute commands as root. The env(1) command is used to bypass application whitelisting and run arbitrary commands. Please see related module auxiliary/gather/pulse_secure_file_disc
CVSS scores for CVE-2019-11539
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST |
8.0
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
1.3
|
6.0
|
MITRE |
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST |
CWE ids for CVE-2019-11539
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-11539
-
https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/
Attacking SSL VPN - Part 3: The Golden Pulse Secure SSL VPN RCE Chain, with Twitter as Case Study! | DEVCOREExploit;Third Party Advisory
-
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
Pulse Security Advisory: SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RXThird Party Advisory;Vendor Advisory
-
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
SonicWall Security AdvisoryThird Party Advisory
-
http://www.securityfocus.com/bid/108073
Pulse Connect Secure and Pulse Policy Secure Multiple Security VulnerabilitiesThird Party Advisory;VDB Entry
-
http://packetstormsecurity.com/files/155277/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
Pulse Secure VPN Arbitrary Command Execution ≈ Packet StormThird Party Advisory;VDB Entry
-
https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
Exploit;Third Party Advisory
-
http://packetstormsecurity.com/files/162092/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
Pulse Secure VPN Arbitrary Command Execution ≈ Packet StormThird Party Advisory;VDB Entry
-
https://www.kb.cert.org/vuls/id/927237
VU#927237 - Pulse Secure VPN contains multiple vulnerabilitiesThird Party Advisory;US Government Resource
-
http://packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.html
Pulse Secure 8.1R15.1 / 8.2 / 8.3 / 9.0 SSL VPN Remote Code Execution ≈ Packet StormThird Party Advisory;VDB Entry
Products affected by CVE-2019-11539
- cpe:2.3:a:pulsesecure:pulse_connect_secure:8.1r1.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2r1.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2r2.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2r3.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2r4.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2r1.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2r4.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2r5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2r3.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:8.3rx:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0r3.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0rx:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0r1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0r2:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0r2.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0r3:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0r3.2:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2r5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2r6.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2r7.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2rx:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2r7.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r1.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r3.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r7.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r8.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r2.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r6.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r7.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r4.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r8.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r1.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r2.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r9.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r3.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r3.2:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r4.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r5.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r5.2:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r6.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r7.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r3.2:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r4.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r5.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r6.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r1.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r1.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r2.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r3.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r2.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r1.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r7.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r8.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r3.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r4.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4r1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4r2:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4r2.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4r3:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r9.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2rx:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4rx:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r9.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4r5:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4r6:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:9.0r3.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4r6.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4r7:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:9.0r1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:9.0r2:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:9.0r2.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4r4:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.4r5.2:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:9.0r3:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:9.0rx:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r12.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r10.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.2r11.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r10.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r11.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r11.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r12.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r12.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r9.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r13.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3rx:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r8.1:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r9.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r11.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.1r14.0:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r8.2:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_policy_secure:5.3r10.:*:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:*:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:*:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.3:*:*:*:*:*:*:*