Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2019-11539

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-26 Apr, 2019 | 01:39
Updated At-21 Oct, 2025 | 23:45
Rejected At-
Credits

Ivanti Pulse Connect Secure and Policy Secure Command Injection Vulnerability

Ivanti Pulse Connect Secure and Policy Secure allows an authenticated attacker from the admin web interface to inject and execute commands.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Known Exploited Vulnerabilities (KEV)
cisa.gov
Vendor:
Ivanti SoftwareIvanti
Product:Pulse Connect Secure and Pulse Policy Secure
Added At:03 Nov, 2021
Due At:03 May, 2022

Ivanti Pulse Connect Secure and Policy Secure Command Injection Vulnerability

Ivanti Pulse Connect Secure and Policy Secure allows an authenticated attacker from the admin web interface to inject and execute commands.

Used in Ransomware

:

Known

CWE

:
CWE-78

Required Action:

Apply updates per vendor instructions.

Additional Notes:

https://nvd.nist.gov/vuln/detail/CVE-2019-11539
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:26 Apr, 2019 | 01:39
Updated At:21 Oct, 2025 | 23:45
Rejected At:
â–¼CVE Numbering Authority (CNA)

In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
3.08.0HIGH
CVSS:3.0/AC:H/AV:N/A:H/C:H/I:H/PR:H/S:C/UI:N
Version: 3.0
Base score: 8.0
Base severity: HIGH
Vector:
CVSS:3.0/AC:H/AV:N/A:H/C:H/I:H/PR:H/S:C/UI:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
x_refsource_CONFIRM
http://www.securityfocus.com/bid/108073
vdb-entry
x_refsource_BID
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
x_refsource_CONFIRM
https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
x_refsource_MISC
http://packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.html
x_refsource_MISC
https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/
x_refsource_MISC
https://www.kb.cert.org/vuls/id/927237
third-party-advisory
x_refsource_CERT-VN
http://packetstormsecurity.com/files/155277/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
x_refsource_MISC
http://packetstormsecurity.com/files/162092/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
x_refsource_MISC
Hyperlink: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
Resource:
x_refsource_CONFIRM
Hyperlink: http://www.securityfocus.com/bid/108073
Resource:
vdb-entry
x_refsource_BID
Hyperlink: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
Resource:
x_refsource_CONFIRM
Hyperlink: https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
Resource:
x_refsource_MISC
Hyperlink: http://packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.html
Resource:
x_refsource_MISC
Hyperlink: https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/
Resource:
x_refsource_MISC
Hyperlink: https://www.kb.cert.org/vuls/id/927237
Resource:
third-party-advisory
x_refsource_CERT-VN
Hyperlink: http://packetstormsecurity.com/files/155277/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
Resource:
x_refsource_MISC
Hyperlink: http://packetstormsecurity.com/files/162092/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
Resource:
x_refsource_MISC
â–¼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
x_refsource_CONFIRM
x_transferred
http://www.securityfocus.com/bid/108073
vdb-entry
x_refsource_BID
x_transferred
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
x_refsource_CONFIRM
x_transferred
https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
x_refsource_MISC
x_transferred
http://packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.html
x_refsource_MISC
x_transferred
https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/
x_refsource_MISC
x_transferred
https://www.kb.cert.org/vuls/id/927237
third-party-advisory
x_refsource_CERT-VN
x_transferred
http://packetstormsecurity.com/files/155277/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
x_refsource_MISC
x_transferred
http://packetstormsecurity.com/files/162092/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
x_refsource_MISC
x_transferred
Hyperlink: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://www.securityfocus.com/bid/108073
Resource:
vdb-entry
x_refsource_BID
x_transferred
Hyperlink: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.html
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://www.kb.cert.org/vuls/id/927237
Resource:
third-party-advisory
x_refsource_CERT-VN
x_transferred
Hyperlink: http://packetstormsecurity.com/files/155277/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://packetstormsecurity.com/files/162092/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
Resource:
x_refsource_MISC
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-78CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Type: CWE
CWE ID: CWE-78
Description: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
kev
dateAdded:
2021-11-03
reference:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11539
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
CVE-2019-11539 added to CISA KEV2021-11-03 00:00:00
Event: CVE-2019-11539 added to CISA KEV
Date: 2021-11-03 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11539
government-resource
Hyperlink: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11539
Resource:
government-resource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:26 Apr, 2019 | 02:29
Updated At:06 Nov, 2025 | 16:51

In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
2021-11-032022-05-03Ivanti Pulse Connect Secure and Policy Secure Command Injection VulnerabilityApply updates per vendor instructions.
Date Added: 2021-11-03
Due Date: 2022-05-03
Vulnerability Name: Ivanti Pulse Connect Secure and Policy Secure Command Injection Vulnerability
Required Action: Apply updates per vendor instructions.
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.2HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Secondary3.08.0HIGH
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary2.06.5MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.0
Base score: 8.0
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 6.5
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P
CPE Matches
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:-:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r1.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r1.1:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r10.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r11.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r11.1:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r12.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r12.1:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r13.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r14.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r2.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r2.1:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r3.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r3.1:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r3.2:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r4.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r4.1:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r5.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r6.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r7:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r7.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r8.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r9.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r9.1:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.1
cpe:2.3:a:ivanti:connect_secure:8.1:r9.2:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:*:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:r1:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:r1.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:r1.1:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:r10.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:r11.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:r12.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:r2.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:r3.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:r3.1:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:r4.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:r4.1:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:r5.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:r5.1:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:r6.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:r7.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:r7.1:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:r7.2:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:r8.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:r8.1:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:r8.2:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.2
cpe:2.3:a:ivanti:connect_secure:8.2:r9.0:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.3
cpe:2.3:a:ivanti:connect_secure:8.3:-:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.3
cpe:2.3:a:ivanti:connect_secure:8.3:r1:*:*:*:*:*:*
Ivanti Software
ivanti
>>connect_secure>>8.3
cpe:2.3:a:ivanti:connect_secure:8.3:r1.1:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-78Primarynvd@nist.gov
CWE-78Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-78
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-78
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.htmlcve@mitre.org
Third Party Advisory
VDB Entry
http://packetstormsecurity.com/files/155277/Pulse-Secure-VPN-Arbitrary-Command-Execution.htmlcve@mitre.org
Third Party Advisory
VDB Entry
http://packetstormsecurity.com/files/162092/Pulse-Secure-VPN-Arbitrary-Command-Execution.htmlcve@mitre.org
Broken Link
Third Party Advisory
VDB Entry
http://www.securityfocus.com/bid/108073cve@mitre.org
Broken Link
Third Party Advisory
VDB Entry
https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/cve@mitre.org
Exploit
Third Party Advisory
https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdfcve@mitre.org
Exploit
Third Party Advisory
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101cve@mitre.org
Third Party Advisory
Vendor Advisory
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010cve@mitre.org
Third Party Advisory
https://www.kb.cert.org/vuls/id/927237cve@mitre.org
Third Party Advisory
US Government Resource
http://packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.htmlaf854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
VDB Entry
http://packetstormsecurity.com/files/155277/Pulse-Secure-VPN-Arbitrary-Command-Execution.htmlaf854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
VDB Entry
http://packetstormsecurity.com/files/162092/Pulse-Secure-VPN-Arbitrary-Command-Execution.htmlaf854a3a-2127-422b-91ae-364da2661108
Broken Link
Third Party Advisory
VDB Entry
http://www.securityfocus.com/bid/108073af854a3a-2127-422b-91ae-364da2661108
Broken Link
Third Party Advisory
VDB Entry
https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/af854a3a-2127-422b-91ae-364da2661108
Exploit
Third Party Advisory
https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdfaf854a3a-2127-422b-91ae-364da2661108
Exploit
Third Party Advisory
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Vendor Advisory
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://www.kb.cert.org/vuls/id/927237af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11539134c704f-9b21-4f2e-91b3-4a467353bcc0
US Government Resource
Hyperlink: http://packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.html
Source: cve@mitre.org
Resource:
Third Party Advisory
VDB Entry
Hyperlink: http://packetstormsecurity.com/files/155277/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
Source: cve@mitre.org
Resource:
Third Party Advisory
VDB Entry
Hyperlink: http://packetstormsecurity.com/files/162092/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
Source: cve@mitre.org
Resource:
Broken Link
Third Party Advisory
VDB Entry
Hyperlink: http://www.securityfocus.com/bid/108073
Source: cve@mitre.org
Resource:
Broken Link
Third Party Advisory
VDB Entry
Hyperlink: https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory
Hyperlink: https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory
Hyperlink: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
Source: cve@mitre.org
Resource:
Third Party Advisory
Vendor Advisory
Hyperlink: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
Source: cve@mitre.org
Resource:
Third Party Advisory
Hyperlink: https://www.kb.cert.org/vuls/id/927237
Source: cve@mitre.org
Resource:
Third Party Advisory
US Government Resource
Hyperlink: http://packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
VDB Entry
Hyperlink: http://packetstormsecurity.com/files/155277/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
VDB Entry
Hyperlink: http://packetstormsecurity.com/files/162092/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Broken Link
Third Party Advisory
VDB Entry
Hyperlink: http://www.securityfocus.com/bid/108073
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Broken Link
Third Party Advisory
VDB Entry
Hyperlink: https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Third Party Advisory
Hyperlink: https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Third Party Advisory
Hyperlink: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Vendor Advisory
Hyperlink: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Hyperlink: https://www.kb.cert.org/vuls/id/927237
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
US Government Resource
Hyperlink: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11539
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource:
US Government Resource

Change History

0
Information is not available yet

Similar CVEs

1078Records found
CVE-2021-3198
Matching Score-10
Assigner-Rapid7, Inc.
ShareView Details
Matching Score-10
Assigner-Rapid7, Inc.
CVSS Score-6.5||MEDIUM
EPSS-2.20% / 84.09%
||
7 Day CHG~0.00%
Published-22 Jul, 2021 | 18:27
Updated-16 Sep, 2024 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ivanti MobileIron Core clish Restricted Shell Escape via OS Command Injection

By abusing the 'install rpm url' command, an attacker can escape the restricted clish shell on affected versions of Ivanti MobileIron Core. This issue was fixed in version 11.1.0.0.

Action-Not Available
Vendor-Ivanti Software
Product-mobileironMobileIron Core
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-10242
Matching Score-10
Assigner-Ivanti
ShareView Details
Matching Score-10
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-3.22% / 86.73%
||
7 Day CHG+0.93%
Published-14 Oct, 2025 | 14:14
Updated-18 Oct, 2025 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEndpoint Manager Mobile
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-10243
Matching Score-10
Assigner-Ivanti
ShareView Details
Matching Score-10
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-3.22% / 86.73%
||
7 Day CHG+0.93%
Published-14 Oct, 2025 | 14:17
Updated-18 Oct, 2025 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEndpoint Manager Mobile
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-9380
Matching Score-10
Assigner-Ivanti
ShareView Details
Matching Score-10
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-88.14% / 99.47%
||
7 Day CHG~0.00%
Published-08 Oct, 2024 | 16:23
Updated-24 Oct, 2025 | 13:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-10-30||As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.

An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_cloud_services_applianceCSA (Cloud Services Appliance)endpoint_manager_cloud_services_applianceCloud Services Appliance (CSA)
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-8190
Matching Score-10
Assigner-Ivanti
ShareView Details
Matching Score-10
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-91.94% / 99.68%
||
7 Day CHG~0.00%
Published-10 Sep, 2024 | 20:33
Updated-24 Oct, 2025 | 14:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-10-04||As Ivanti CSA has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line of supported solutions, as future vulnerabilities on the 4.6.x version of CSA are unlikely to receive future security updates.

An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.

Action-Not Available
Vendor-Ivanti Software
Product-cloud_services_applianceCSA (Cloud Services Appliance)endpoint_manager_cloud_services_applianceCloud Services Appliance
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-6771
Matching Score-10
Assigner-Ivanti
ShareView Details
Matching Score-10
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-16.43% / 94.71%
||
7 Day CHG+4.96%
Published-08 Jul, 2025 | 15:38
Updated-11 Jul, 2025 | 17:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OS command injection in Ivanti Endpoint Manager

OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high privileges to achieve remote code execution

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEndpoint Manager Mobile
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-6770
Matching Score-10
Assigner-Ivanti
ShareView Details
Matching Score-10
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-9.17% / 92.50%
||
7 Day CHG+2.97%
Published-08 Jul, 2025 | 15:02
Updated-11 Jul, 2025 | 17:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OS command injection in Ivanti Endpoint Manager

OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2 allows a remote authenticated attacker with high privileges to achieve remote code execution

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEndpoint Manager Mobile
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-47908
Matching Score-10
Assigner-Ivanti
ShareView Details
Matching Score-10
Assigner-Ivanti
CVSS Score-9.1||CRITICAL
EPSS-13.55% / 94.05%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 15:18
Updated-20 Feb, 2025 | 15:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection in the admin web console of Ivanti CSA before version 5.0.5 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-cloud_services_applianceCloud Services Application
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-11007
Matching Score-10
Assigner-Ivanti
ShareView Details
Matching Score-10
Assigner-Ivanti
CVSS Score-9.1||CRITICAL
EPSS-27.93% / 96.34%
||
7 Day CHG+1.91%
Published-12 Nov, 2024 | 16:05
Updated-22 Nov, 2024 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-policy_secureconnect_securePolicy SecureConnect Securepolicy_secureconnect_secure
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-11006
Matching Score-10
Assigner-Ivanti
ShareView Details
Matching Score-10
Assigner-Ivanti
CVSS Score-9.1||CRITICAL
EPSS-27.93% / 96.34%
||
7 Day CHG+1.91%
Published-12 Nov, 2024 | 16:06
Updated-17 Jan, 2025 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-connect_securepolicy_securePolicy SecureConnect Securepolicy_secureconnect_secure
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-11005
Matching Score-10
Assigner-Ivanti
ShareView Details
Matching Score-10
Assigner-Ivanti
CVSS Score-9.1||CRITICAL
EPSS-27.93% / 96.34%
||
7 Day CHG+1.91%
Published-12 Nov, 2024 | 16:07
Updated-17 Jan, 2025 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-connect_securepolicy_securePolicy SecureConnect Securepolicy_secureconnect_secure
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-10985
Matching Score-10
Assigner-Ivanti
ShareView Details
Matching Score-10
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-3.22% / 86.73%
||
7 Day CHG+0.93%
Published-14 Oct, 2025 | 14:20
Updated-21 Oct, 2025 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEndpoint Manager Mobile
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-8296
Matching Score-8
Assigner-Ivanti
ShareView Details
Matching Score-8
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-2.34% / 84.55%
||
7 Day CHG~0.00%
Published-12 Aug, 2025 | 14:33
Updated-15 Aug, 2025 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to execute arbitrary SQL queries. In certain conditions, this can also lead to remote code execution

Action-Not Available
Vendor-Ivanti Software
Product-avalancheAvalanche
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-8297
Matching Score-8
Assigner-Ivanti
ShareView Details
Matching Score-8
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-4.24% / 88.53%
||
7 Day CHG~0.00%
Published-12 Aug, 2025 | 14:37
Updated-15 Aug, 2025 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incomplete restriction of configuration in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to achieve remote code execution

Action-Not Available
Vendor-Ivanti Software
Product-avalancheAvalanche
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2025-7037
Matching Score-8
Assigner-Ivanti
ShareView Details
Matching Score-8
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-0.35% / 57.16%
||
7 Day CHG-0.02%
Published-08 Jul, 2025 | 14:54
Updated-11 Jul, 2025 | 17:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQL injection in Ivanti Endpoint Manager

SQL injection in Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a remote authenticated attacker with admin privileges to read arbitrary data from the database

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-9381
Matching Score-8
Assigner-Ivanti
ShareView Details
Matching Score-8
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-1.21% / 78.67%
||
7 Day CHG~0.00%
Published-08 Oct, 2024 | 16:25
Updated-16 Oct, 2024 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_cloud_services_applianceCSA (Cloud Services Appliance)endpoint_manager_cloud_services_appliance
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-50328
Matching Score-8
Assigner-Ivanti
ShareView Details
Matching Score-8
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-15.95% / 94.59%
||
7 Day CHG~0.00%
Published-12 Nov, 2024 | 15:41
Updated-19 Nov, 2024 | 04:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Managerendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-50327
Matching Score-8
Assigner-Ivanti
ShareView Details
Matching Score-8
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-9.05% / 92.45%
||
7 Day CHG~0.00%
Published-12 Nov, 2024 | 15:40
Updated-19 Nov, 2024 | 04:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Managerendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-11633
Matching Score-8
Assigner-Ivanti
ShareView Details
Matching Score-8
Assigner-Ivanti
CVSS Score-9.1||CRITICAL
EPSS-19.22% / 95.20%
||
7 Day CHG+3.88%
Published-10 Dec, 2024 | 18:47
Updated-17 Jan, 2025 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Argument injection in Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution

Action-Not Available
Vendor-Ivanti Software
Product-connect_secureConnect Secure
CWE ID-CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CVE-2024-11772
Matching Score-8
Assigner-Ivanti
ShareView Details
Matching Score-8
Assigner-Ivanti
CVSS Score-9.1||CRITICAL
EPSS-11.16% / 93.31%
||
7 Day CHG~0.00%
Published-10 Dec, 2024 | 18:55
Updated-17 Jan, 2025 | 19:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Command injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-cloud_services_applianceCloud Services Application
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-9379
Matching Score-8
Assigner-Ivanti
ShareView Details
Matching Score-8
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-81.70% / 99.16%
||
7 Day CHG~0.00%
Published-08 Oct, 2024 | 16:23
Updated-24 Oct, 2025 | 13:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-10-30||As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.

SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_cloud_services_applianceCSA (Cloud Services Appliance)endpoint_manager_cloud_services_applianceCloud Services Appliance (CSA)
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-38655
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-9.1||CRITICAL
EPSS-13.94% / 94.15%
||
7 Day CHG+1.16%
Published-13 Nov, 2024 | 01:54
Updated-27 Jun, 2025 | 18:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.1 and 9.1R18.9 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-connect_securepolicy_securePolicy SecureConnect Securepolicy_secureconnect_secure
CWE ID-CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CVE-2024-37376
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-7.83% / 91.79%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 01:54
Updated-01 May, 2025 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-37373
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-5.03% / 89.50%
||
7 Day CHG~0.00%
Published-14 Aug, 2024 | 02:38
Updated-16 Aug, 2024 | 04:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper input validation in the Central Filestore in Ivanti Avalanche 6.3.1 allows a remote authenticated attacker with admin rights to achieve RCE.

Action-Not Available
Vendor-Ivanti Software
Product-avalancheAvalancheavalanche
CWE ID-CWE-20
Improper Input Validation
CVE-2024-34781
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-63.70% / 98.37%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 01:54
Updated-01 May, 2025 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-34782
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-5.18% / 89.66%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 01:54
Updated-01 May, 2025 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-34779
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-9.1||CRITICAL
EPSS-50.06% / 97.74%
||
7 Day CHG~0.00%
Published-12 Sep, 2024 | 01:09
Updated-12 Sep, 2024 | 22:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-34784
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-5.18% / 89.66%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 01:54
Updated-01 May, 2025 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-32845
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-9.1||CRITICAL
EPSS-32.19% / 96.71%
||
7 Day CHG~0.00%
Published-12 Sep, 2024 | 01:09
Updated-12 Sep, 2024 | 22:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-32843
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-9.1||CRITICAL
EPSS-8.84% / 92.35%
||
7 Day CHG~0.00%
Published-12 Sep, 2024 | 01:09
Updated-12 Sep, 2024 | 22:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-32842
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-9.1||CRITICAL
EPSS-8.84% / 92.35%
||
7 Day CHG~0.00%
Published-12 Sep, 2024 | 01:09
Updated-12 Sep, 2024 | 22:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-41719
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-3.15% / 86.58%
||
7 Day CHG~0.00%
Published-14 Dec, 2023 | 01:56
Updated-02 Aug, 2024 | 19:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker impersonating an administrator may craft a specific web request which may lead to remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-connect_secureConnect Secure
CVE-2024-29848
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-25.75% / 96.11%
||
7 Day CHG~0.00%
Published-31 May, 2024 | 17:38
Updated-06 May, 2025 | 14:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unrestricted file upload vulnerability in web component of Ivanti Avalanche before 6.4.x allows an authenticated, privileged user to execute arbitrary commands as SYSTEM.

Action-Not Available
Vendor-Ivanti Software
Product-avalancheAvalancheavalanche
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2020-8218
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-92.34% / 99.72%
||
7 Day CHG~0.00%
Published-30 Jul, 2020 | 12:53
Updated-30 Oct, 2025 | 20:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-09-07||Apply updates per vendor instructions.

A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.

Action-Not Available
Vendor-n/aPulse SecureIvanti Software
Product-policy_secureconnect_securepulse_policy_securePulse Connect SecurePulse Connect Secure
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-8260
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-75.30% / 98.85%
||
7 Day CHG~0.00%
Published-28 Oct, 2020 | 12:47
Updated-30 Oct, 2025 | 20:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-05-03||Apply updates per vendor instructions.

A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.

Action-Not Available
Vendor-n/aIvanti Software
Product-connect_securePulse Connect Secure / Pulse Policy SecurePulse Connect Secure
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-22572
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-8.8||HIGH
EPSS-19.73% / 95.28%
||
7 Day CHG~0.00%
Published-11 Apr, 2022 | 19:38
Updated-03 Aug, 2024 | 03:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A non-admin user with user management permission can escalate his privilege to admin user via password reset functionality. The vulnerability affects Incapptic Connect version < 1.40.1.

Action-Not Available
Vendor-n/aIvanti Software
Product-incapptic_connectIvanti Incapptic Connect
CVE-2022-21828
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-15.38% / 94.48%
||
7 Day CHG~0.00%
Published-04 Mar, 2022 | 16:15
Updated-03 Aug, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A user with high privilege access to the Incapptic Connect web console can remotely execute code on the Incapptic Connect server using a unspecified attack vector in Incapptic Connect version 1.40.0, 1.39.1, 1.39.0, 1.38.1, 1.38.0, 1.37.1, 1.37.0, 1.36.0, 1.35.5, 1.35.4 and 1.35.3.

Action-Not Available
Vendor-n/aIvanti Software
Product-incapptic_connectIvanti Incapptic Connect
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-34785
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-9.1||CRITICAL
EPSS-32.19% / 96.71%
||
7 Day CHG~0.00%
Published-12 Sep, 2024 | 01:09
Updated-12 Sep, 2024 | 22:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-34783
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-9.1||CRITICAL
EPSS-32.19% / 96.71%
||
7 Day CHG-17.88%
Published-12 Sep, 2024 | 01:09
Updated-12 Sep, 2024 | 22:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-32840
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-9.1||CRITICAL
EPSS-50.06% / 97.74%
||
7 Day CHG~0.00%
Published-12 Sep, 2024 | 01:09
Updated-12 Sep, 2024 | 22:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-32846
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-9.1||CRITICAL
EPSS-8.84% / 92.35%
||
7 Day CHG~0.00%
Published-12 Sep, 2024 | 01:09
Updated-12 Sep, 2024 | 22:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-32847
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-9.52% / 92.66%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 01:54
Updated-24 Apr, 2025 | 15:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-32844
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-5.18% / 89.66%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 01:54
Updated-19 Nov, 2024 | 04:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-EPMepm
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-32848
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-9.1||CRITICAL
EPSS-42.09% / 97.34%
||
7 Day CHG~0.00%
Published-12 Sep, 2024 | 01:09
Updated-12 Sep, 2024 | 22:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2017-11463
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.16% / 78.19%
||
7 Day CHG~0.00%
Published-11 Dec, 2017 | 06:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Ivanti Service Desk (formerly LANDESK Management Suite) versions between 2016.3 and 2017.3, an Unrestricted Direct Object Reference leads to referencing/updating objects belonging to other users. In other words, a normal user can send requests to a specific URI with the target user's username in an HTTP payload in order to retrieve a key/token and use it to access/update objects belonging to other users. Such objects could be user profiles, tickets, incidents, etc.

Action-Not Available
Vendor-n/aIvanti Software
Product-endpoint_managern/a
CVE-2025-4428
Matching Score-8
Assigner-Ivanti
ShareView Details
Matching Score-8
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-57.24% / 98.08%
||
7 Day CHG+2.02%
Published-13 May, 2025 | 15:46
Updated-24 Oct, 2025 | 13:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-06-09||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Remote Code Execution

Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEndpoint Manager MobileEndpoint Manager Mobile (EPMM)
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-28128
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-88.06% / 99.47%
||
7 Day CHG~0.00%
Published-09 May, 2023 | 00:00
Updated-28 Jan, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution.

Action-Not Available
Vendor-n/aIvanti Software
Product-avalancheAvalanche
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2019-11509
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-6.92% / 91.21%
||
7 Day CHG~0.00%
Published-03 Jun, 2019 | 19:34
Updated-04 Aug, 2024 | 22:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 and Pulse Policy Secure (PPS) before 5.1R15.1, 5.2 before 5.2R12.1, 5.3 before 5.3R15.1, 5.4 before 5.4R7.1, and 9.0 before 9.0R3.2, an authenticated attacker (via the admin web interface) can exploit Incorrect Access Control to execute arbitrary code on the appliance.

Action-Not Available
Vendor-n/aIvanti SoftwarePulse Secure
Product-pulse_policy_securepolicy_secureconnect_securen/a
CVE-2021-44720
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-2.60% / 85.29%
||
7 Day CHG~0.00%
Published-11 Aug, 2022 | 15:49
Updated-04 Aug, 2024 | 04:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Ivanti Pulse Secure Pulse Connect Secure (PCS) before 9.1R12, the administrator password is stored in the HTML source code of the "Maintenance > Push Configuration > Targets > Target Name" targets.cgi screen. A read-only administrative user can escalate to a read-write administrative role.

Action-Not Available
Vendor-n/aIvanti SoftwarePulse Secure
Product-pulse_connect_secureconnect_securen/a
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2021-42126
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-8.8||HIGH
EPSS-5.74% / 90.25%
||
7 Day CHG~0.00%
Published-07 Dec, 2021 | 13:12
Updated-04 Aug, 2024 | 03:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper authorization control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.

Action-Not Available
Vendor-n/aIvanti Software
Product-avalancheIvanti Avalanche
CWE ID-CWE-285
Improper Authorization
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 21
  • 22
  • Next
Details not found