CVE-2020-8218
CVE-2020-8218
Vexday Risk Score
83Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 7.2EPSS 32.7%KEV simPoC públicaNuclei —Metasploit —Patch —
Lifecycle
30 Jul 2020Published on NVD
29 Aug 2020Public PoC
07 Mar 2022Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short
Pulse Connect Secure versions before 9.1R8 contain a code injection flaw in the admin interface that lets attackers execute arbitrary code by crafting a malicious URL.
Technical detail
A code injection vulnerability (CWE-94) in the admin web interface of Pulse Connect Secure <9.1R8 allows unauthenticated or low-privileged attackers to execute arbitrary code by sending a crafted URI. The vulnerability requires network access to the admin interface and results in complete system compromise.
Summary generated and translated by AI from the official description.
A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · Pulse Connect Securepublic PoCs found — 1
githubgithub.com/withdk/pulse-gosecure-rce-poc★ 22⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →