Cyber Resilience

CVE-2021-22899

HighCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 27 May 2021

Published
27 May 2021
Modified
18 December 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1950 95.5th percentile
Risk Priority 49 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-22899 is a high-severity Command Injection (CWE-77) vulnerability in Ivanti Connect Secure. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 4.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

A command injection vulnerability tracked as CVE-2021-22899 affects Pulse Connect Secure versions prior to 9.1R11.4. The flaw resides in the Windows Resource Profiles feature and is classified under CWE-77, enabling an attacker to inject and execute arbitrary operating-system commands.

A remote attacker who has already authenticated to the appliance can exploit the issue over the network without user interaction. Successful exploitation grants the attacker full remote code execution with the privileges of the vulnerable process, resulting in complete confidentiality, integrity, and availability impact as reflected by the CVSS 8.8 score.

The vendor advisory SA44784 recommends upgrading to Pulse Connect Secure 9.1R11.4 or later to remediate the flaw. The vulnerability is also listed in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.

EU & UK References

Vulnerability details

A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to perform remote code execution via Windows Resource Profiles Feature

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
connect secure
9.0, 9.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying vendor patches to remediate the identified command-injection flaw in Pulse Connect Secure.

prevent

Restricts activation of the Windows Resource Profiles feature that contains the injection vulnerability, reducing attack surface.

detect

Enables monitoring of command execution and anomalous behavior that would indicate exploitation of the RCE flaw.

References