Vulnerability Details : CVE-2021-22899
A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to perform remote code execution via Windows Resource Profiles Feature
Vulnerability category: Execute code
CVE-2021-22899 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Ivanti Pulse Connect Secure Command Injection Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Ivanti Pulse Connect Secure contains a command injection vulnerability that allows remote authenticated users to perform remote code execution via Windows File Resource Profiles.
Notes:
Reference CISA's ED 21-03 (https://www.cisa.gov/news-events/directives/ed-21-03-mitigate-pulse-connect-secure-product-vulnerabilities) for further guidance and requirements. Note: The due date for addressing this vulnerability aligns with the requirements outlined in ED 21-03.
Added on
2021-11-03
Action due date
2021-04-23
Exploit prediction scoring system (EPSS) score for CVE-2021-22899
0.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 65 %
Percentile, the proportion of vulnerabilities that are scored at or less