Cyber Resilience

CVE-2021-22893

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 23 April 2021

Published
23 April 2021
Modified
18 December 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9361 99.8th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-22893 is a critical-severity Improper Authentication (CWE-287) vulnerability in Ivanti Connect Secure. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

Pulse Connect Secure versions 9.0R3/9.1R1 and higher contain an authentication bypass vulnerability in the Windows File Share Browser and Pulse Secure Collaboration features. The flaw, tracked as CVE-2021-22893 with a CVSS score of 10.0 and associated CWEs 287 and 416, permits an unauthenticated remote attacker to execute arbitrary code on the gateway appliance.

An attacker with network access to an affected Pulse Connect Secure instance can exploit the bypass to gain unauthenticated remote code execution, achieving full control over the gateway without requiring valid credentials or user interaction.

Vendor advisories from Pulse Secure and related guidance from US-CERT recommend applying the security updates referenced in SA44784 and the associated knowledge base articles to address the issue.

The vulnerability has been exploited in the wild, with reporting from FireEye indicating suspected APT actors leveraging related bypass techniques against Pulse Secure appliances.

EU & UK References

Vulnerability details

Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code…

more

execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
connect secure
9.0, 9.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor security updates (SA44784) that eliminate the authentication-bypass flaw.

prevent

Enforces authentication and authorization decisions before any code-execution path in the Windows File Share Browser or Collaboration features can be reached.

AC-17 Remote Access partial match
prevent

Restricts and monitors all remote access to the Pulse Connect Secure gateway, limiting the attack surface for unauthenticated RCE attempts.

References