pulsesecure pulse-connect-secure CVE-2019-11539 in Pulse Secure and Ivanti Products
Published on April 26, 2019

product logo product logo
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.

NVD

Known Exploited Vulnerability

This Pulse Connect Secure and Policy Secure Multiple Versions Code Execution vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Pulse Secure's Connect and Policy secure platforms contain a vulnerability in the admin web interface which allows an attacker to inject and execute commands.

The following remediation steps are recommended / required by May 3, 2022: Apply updates per vendor instructions.

Weakness Type

What is a Shell injection Vulnerability?

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVE-2019-11539 has been classified to as a Shell injection vulnerability or weakness.


Products Associated with CVE-2019-11539

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2019-11539 are published in these products:

Pulse Secure Pulse Connect Secure
 
Pulse Secure Pulse Policy Secure
 
Ivanti Connect Secure
 
Ivanti Policy Secure
 

Exploit Probability

EPSS
93.90%
Percentile
99.87%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.