Cyber Resilience

CVE-2020-8260

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 28 October 2020

Published
28 October 2020
Modified
18 December 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7303 98.8th percentile
Risk Priority 78 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-8260 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Ivanti Connect Secure. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability tracked as CVE-2020-8260 affects the admin web interface of Pulse Connect Secure versions prior to 9.1R9. It stems from uncontrolled gzip extraction during file handling, which corresponds to CWE-434 and permits arbitrary code execution on the underlying system. The flaw carries a CVSS 3.1 base score of 7.2 with network attack vector, low complexity, and high-privilege requirements.

An authenticated administrator can exploit the issue over the network to upload and extract a malicious gzip archive, resulting in full compromise of confidentiality, integrity, and availability on the affected appliance. Successful exploitation grants the attacker the ability to run arbitrary commands with the privileges of the web interface process.

Pulse Secure advisory SA44601 addresses the issue and directs customers to upgrade to version 9.1R9 or later. The vulnerability appears in CISA's catalog of known exploited vulnerabilities, and public exploit code has been published on Packet Storm.

EU & UK References

Vulnerability details

A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
connect secure
9.1 · ≤ 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of uploaded gzip archives in the admin interface to block uncontrolled extraction that leads to arbitrary code execution.

preventdetect

Requires malicious code scanning and protection mechanisms that would detect or block the malicious gzip payload before extraction.

prevent

Mandates prompt application of the vendor patch (upgrade to 9.1R9) that eliminates the uncontrolled extraction flaw.

References