CVE-2020-8218
Published: 30 July 2020
Summary
CVE-2020-8218 is a high-severity Code Injection (CWE-94) vulnerability in Ivanti Connect Secure. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A code injection vulnerability tracked as CVE-2020-8218 affects Pulse Connect Secure versions prior to 9.1R8. The flaw, classified under CWE-94, resides in the product's admin web interface and permits an attacker to supply a crafted URI that results in arbitrary code execution on the affected appliance. The issue carries a CVSS 3.1 base score of 7.2, reflecting network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability when successfully exploited.
An authenticated administrator can leverage the vulnerability to execute arbitrary commands on the underlying system. Because the attack requires administrative credentials but no user interaction and can be launched remotely, a compromised or malicious admin account is sufficient to obtain full control of the Pulse Connect Secure instance.
Vendor guidance published in Pulse Security Advisory SA44516 recommends upgrading to version 9.1R8 or later to address the code-injection flaw. The same advisory is referenced by CISA within its catalog of known exploited vulnerabilities, confirming that the issue has been observed in active exploitation campaigns. Additional technical analysis is available in reporting from GoSecure that examines multiple Pulse Connect Secure issues disclosed around the same period.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-29091
Vulnerability details
A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.
- CWE(s)
- KEV Date Added
- 07 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patch (9.1R8+) that eliminates the code-injection flaw in the admin web interface.
Mandates validation of URI and other inputs to the admin interface, blocking the crafted payloads that trigger arbitrary code execution (CWE-94).
Limits the number of accounts with administrative privileges on the appliance, reducing the attack surface for an authenticated admin exploiting the flaw.