Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2019-11510

Disclosure Date: May 08, 2019
Exploited in the Wild
Reported by AttackerKB Worker
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .

Add Assessment

2
Ratings
Technical Analysis

Can download the session DB in one request and escalate to admin on the VPN concentrator. May not be configured to log unauthenticated requests. Causes massive damage. If not patched, likely wrecked.

1
Ratings
Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

  • Vulnerable Products: Pulse Connect Secure 9.0R1 – 9.0R3.3, 8.3R1 – 8.3R7, 8.2R1 – 8.2R12, 8.1R1 – 8.1R15 and Pulse Policy Secure 9.0R1 – 9.0R3.1, 5.4R1 – 5.4R7, 5.3R1 – 5.3R12, 5.2R1 – 5.2R12, 5.1R1 – 5.1R15
  • Mitigation: Update affected Pulse Secure devices with the latest security patches.

General Information

Technical Analysis