CVE-2021-22893
Published: 23 April 2021
Summary
CVE-2021-22893 is a critical-severity Improper Authentication (CWE-287) vulnerability in Ivanti Connect Secure. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
Pulse Connect Secure versions 9.0R3/9.1R1 and higher contain an authentication bypass vulnerability in the Windows File Share Browser and Pulse Secure Collaboration features. The flaw, tracked as CVE-2021-22893 with a CVSS score of 10.0 and associated CWEs 287 and 416, permits an unauthenticated remote attacker to execute arbitrary code on the gateway appliance.
An attacker with network access to an affected Pulse Connect Secure instance can exploit the bypass to gain unauthenticated remote code execution, achieving full control over the gateway without requiring valid credentials or user interaction.
Vendor advisories from Pulse Secure and related guidance from US-CERT recommend applying the security updates referenced in SA44784 and the associated knowledge base articles to address the issue.
The vulnerability has been exploited in the wild, with reporting from FireEye indicating suspected APT actors leveraging related bypass techniques against Pulse Secure appliances.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-10025
Vulnerability details
Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code…
more
execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor security updates (SA44784) that eliminate the authentication-bypass flaw.
Enforces authentication and authorization decisions before any code-execution path in the Windows File Share Browser or Collaboration features can be reached.
Restricts and monitors all remote access to the Pulse Connect Secure gateway, limiting the attack surface for unauthenticated RCE attempts.