CVE-2021-22900
Published: 27 May 2021
Summary
CVE-2021-22900 is a high-severity Code Injection (CWE-94) vulnerability in Ivanti Connect Secure. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 14.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2021-22900 is an unrestricted file upload vulnerability in Pulse Connect Secure versions prior to 9.1R11.4. It resides in the administrator web interface and permits an authenticated administrator to upload a maliciously crafted archive that results in arbitrary file writes on the appliance. The flaw is tracked under CWE-94 (Improper Control of Generation of Code) and CWE-669 (Incorrect Resource Transfer Between Spheres) and carries a CVSS 3.1 base score of 7.2.
An attacker who already possesses valid administrator credentials can exploit the issue over the network by submitting the crafted archive through the management interface. Successful exploitation grants the ability to write arbitrary files, which can be leveraged to achieve full control over confidentiality, integrity, and availability of the affected system.
The vendor advisory SA44784 states that the issue is resolved in Pulse Connect Secure 9.1R11.4 and later releases; administrators are advised to apply the update. The vulnerability is also listed in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-10032
Vulnerability details
A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of uploaded archives in the admin interface to block malicious file-write payloads.
Requires timely application of the vendor patch (9.1R11.4+) that eliminates the unrestricted-upload flaw.
Restricts the ability of even authenticated administrators to perform arbitrary file-system changes via the web interface.