Cyber Resilience

CVE-2021-22894

HighCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 27 May 2021

Published
27 May 2021
Modified
18 December 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4202 97.5th percentile
Risk Priority 63 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-22894 is a high-severity Code Injection (CWE-94) vulnerability in Ivanti Connect Secure. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A buffer overflow vulnerability exists in Pulse Connect Secure versions prior to 9.1R11.4. The flaw, tracked under CWE-94 and CWE-119, resides in the component responsible for processing meeting rooms and permits memory corruption that can lead to arbitrary code execution.

A remote authenticated attacker with low privileges can exploit the issue over the network by submitting a maliciously crafted meeting room. Successful exploitation grants the attacker the ability to run arbitrary code as the root user, resulting in full compromise of confidentiality, integrity, and availability as reflected in the CVSS 3.1 base score of 8.8.

The vendor advisory SA44784 states that the vulnerability is resolved in Pulse Connect Secure 9.1R11.4 and later releases. CISA includes CVE-2021-22894 in its catalog of known exploited vulnerabilities, confirming observed in-the-wild activity.

EU & UK References

Vulnerability details

A buffer overflow vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to execute arbitrary code as the root user via maliciously crafted meeting room.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
connect secure
9.0, 9.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch (9.1R11.4) that eliminates the buffer-overflow flaw in meeting-room processing.

prevent

Mandates validation of untrusted input to the meeting-room component, blocking the maliciously crafted payload that triggers the overflow.

prevent

Requires memory-protection mechanisms that can detect or block exploitation of the memory corruption (CWE-119) before arbitrary root code executes.

References