Cyber Resilience

CVE-2019-11510

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 08 May 2019

Published
08 May 2019
Modified
18 December 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9446 100.0th percentile
Risk Priority 97 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-11510 is a critical-severity Path Traversal (CWE-22) vulnerability in Ivanti Connect Secure. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-11510 is a path traversal vulnerability (CWE-22) affecting Pulse Secure Pulse Connect Secure (PCS) versions 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4. It allows an unauthenticated remote attacker to read arbitrary files on the affected appliance by submitting a specially crafted URI, and carries a CVSS 3.1 base score of 10.0 reflecting network attack vector, low complexity, and no required privileges or user interaction.

An attacker with network access can exploit the flaw to retrieve sensitive files such as configuration data or credentials stored on the VPN appliance. Successful file disclosure can expose session tokens, private keys, and other material that enables further compromise of the device and connected networks.

Public references document working proof-of-concept exploits, an Nmap NSE script for mass scanning, and reports of more than 14,500 exposed endpoints remaining vulnerable months after disclosure. Advisories and vendor guidance direct administrators to apply the fixed releases (8.2R12.1, 8.3R7.1, or 9.0R3.4) to eliminate the issue.

EU & UK References

Vulnerability details

In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
connect secure
8.2, 8.3, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patches (8.2R12.1, 8.3R7.1, 9.0R3.4) that eliminate the path-traversal flaw.

prevent

Mandates input validation on URIs and path parameters to block the crafted requests that enable arbitrary file reads.

prevent

Enforces access-control policy so that unauthenticated remote actors cannot read arbitrary files regardless of URI manipulation.

References