CVE-2021-22899

CVSS 8.8 HIGHEPSS 22.3%● KEVCWE-77

Vexday Risk Score

56Attention

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 8.8EPSS 22.3%KEV simPoC —Nuclei —Metasploit —Patch —

Lifecycle

27 May 2021Published on NVD

03 Nov 2021Active exploitation (CISA KEV)

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

Pulse Connect Secure has a flaw in its Windows Resource Profiles feature that lets authenticated users run arbitrary commands on the server. This is dangerous because someone with login credentials can take over the system.

Technical detail

CWE-77 command injection vulnerability in the Windows Resource Profiles feature of Pulse Connect Secure versions prior to 9.1R11.4 allows an authenticated attacker to execute arbitrary system commands with the privileges of the application, leading to complete system compromise.

Summary generated and translated by AI from the official description.

A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to perform remote code execution via Windows Resource Profiles Feature

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · Pulse Connect Secure

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/?kA23Z000000boUWSAY https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22899