CVE-2021-22894
Published: 27 May 2021
Summary
CVE-2021-22894 is a high-severity Code Injection (CWE-94) vulnerability in Ivanti Connect Secure. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A buffer overflow vulnerability exists in Pulse Connect Secure versions prior to 9.1R11.4. The flaw, tracked under CWE-94 and CWE-119, resides in the component responsible for processing meeting rooms and permits memory corruption that can lead to arbitrary code execution.
A remote authenticated attacker with low privileges can exploit the issue over the network by submitting a maliciously crafted meeting room. Successful exploitation grants the attacker the ability to run arbitrary code as the root user, resulting in full compromise of confidentiality, integrity, and availability as reflected in the CVSS 3.1 base score of 8.8.
The vendor advisory SA44784 states that the vulnerability is resolved in Pulse Connect Secure 9.1R11.4 and later releases. CISA includes CVE-2021-22894 in its catalog of known exploited vulnerabilities, confirming observed in-the-wild activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-10026
Vulnerability details
A buffer overflow vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to execute arbitrary code as the root user via maliciously crafted meeting room.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patch (9.1R11.4) that eliminates the buffer-overflow flaw in meeting-room processing.
Mandates validation of untrusted input to the meeting-room component, blocking the maliciously crafted payload that triggers the overflow.
Requires memory-protection mechanisms that can detect or block exploitation of the memory corruption (CWE-119) before arbitrary root code executes.