Numerous Vulnerabilities Found In Pulse Secure VPN – Update Now!

Heads up Pulse Secure VPN users! Researchers have found numerous vulnerabilities in Pulse Secure VPN that can have devastating impact on users. One of these bugs could even allow remote code execution attacks.

Researchers from GoSecure cybersecurity firm have found multiple vulnerabilities in Pulse Secure VPN including a remote code execution flaw.

Sharing the details in a post, the researchers revealed that they discovered a command injection vulnerability in the VPN. Specifically, the bug existed in the downloadlicenses.cgi file of the admin portal.

Thus, an authenticated attacker could simply exploit the bug by tricking an administrator into clicking on a malicious link. Consequently, the attacker could gain code execution privileges as an admin on the target system.

Although, the researchers explain that exploiting the bug wasn’t trivial. Thanks to the security measures already in place by Pulse Secure.

Nonetheless, with a little effort, it was still possible to exploit the bug.

As the researcher, Jean-Frédéric Gauron, stated in the blog post,

Following their report, the vendors patched the vulnerability, CVE-2020-8218 with the release of Pulse Connect Secure (PCS) 9.1R8.

Describing the bug in the advisory, the vendors state,

They have labeled the vulnerability as a high-severity flaw with a CVSS score of 7.2.

You Might Also Like