Cyber Resilience

CVE-2020-8218

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 30 July 2020

Published
30 July 2020
Modified
30 October 2025
KEV Added
07 March 2022
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9110 99.7th percentile
Risk Priority 89 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-8218 is a high-severity Code Injection (CWE-94) vulnerability in Ivanti Connect Secure. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A code injection vulnerability tracked as CVE-2020-8218 affects Pulse Connect Secure versions prior to 9.1R8. The flaw, classified under CWE-94, resides in the product's admin web interface and permits an attacker to supply a crafted URI that results in arbitrary code execution on the affected appliance. The issue carries a CVSS 3.1 base score of 7.2, reflecting network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability when successfully exploited.

An authenticated administrator can leverage the vulnerability to execute arbitrary commands on the underlying system. Because the attack requires administrative credentials but no user interaction and can be launched remotely, a compromised or malicious admin account is sufficient to obtain full control of the Pulse Connect Secure instance.

Vendor guidance published in Pulse Security Advisory SA44516 recommends upgrading to version 9.1R8 or later to address the code-injection flaw. The same advisory is referenced by CISA within its catalog of known exploited vulnerabilities, confirming that the issue has been observed in active exploitation campaigns. Additional technical analysis is available in reporting from GoSecure that examines multiple Pulse Connect Secure issues disclosed around the same period.

EU & UK References

Vulnerability details

A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.

CWE(s)
KEV Date Added
07 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
connect secure
9.1 · ≤ 9.0
ivanti
policy secure
9.1
pulsesecure
pulse policy secure
≤ 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch (9.1R8+) that eliminates the code-injection flaw in the admin web interface.

prevent

Mandates validation of URI and other inputs to the admin interface, blocking the crafted payloads that trigger arbitrary code execution (CWE-94).

prevent

Limits the number of accounts with administrative privileges on the appliance, reducing the attack surface for an authenticated admin exploiting the flaw.

References