Patch for Zero-Day Vulnerability in Pulse Connect Secure VPN Appliance Available – CVE-2021-22893

Share :


On April 20,2021 Ivanti, the parent company of Pulse Secure, released Pulse Connect Secure version 9.1R11.4 to address the zero-day vulnerability CVE-2021-22893, among 3 other new vulnerabilities.


CVSS Score V3

CVSS Criticality






Remote Arbitrary Code Execution

Multiple use after free in Pulse Connect Secure before 9.1R11.4 allows a remote unauthenticated attacker to execute arbitrary code via license services.




Buffer Overflow

Buffer overflow in Pulse Connect Secure Collaboration Suite before 9.1R11.4 allows remote authenticated users to execute arbitrary code as the root user via maliciously crafted meeting room.




Command Injection

Command Injection in Pulse Connect Secure before 9.1R11.4 allows remote authenticated users to perform remote code execution via Windows File Resource Profiles.




Code Injection

Multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 allow an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.



Vulnerability to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway.

CVE-2021-22894 | CVE-2021-22899 | CVE-2021-22900

All three are post-authentication vulnerabilities. These do not appear to be additional zero-days, but are additional vulnerabilities added into the patch that addresses CVE-2021-22893.

Solutions and Recommendations

The advisory with details on updating to the newest released can be found here.

Arctic Wolf strongly recommends that you apply this update for any Pulse Connect Secure VPN appliances in your network as soon as possible to fully mitigate the zero-day vulnerability that is known to have been used in attacks in the wild.

There are three important items to note about this latest release:

  1. This release is only for the Pulse Connect Secure VPN appliances themselves, not the Pulse Secure VPN clients. The zero-day vulnerability that was exploited in the wild was done so against the Pulse Connect Secure Servers themselves.
  2. Ivanti has stated there is a known cert issue for browser clients if upgrading from any version below 9.1R8. The knowledge base (KB) for this known issue can be found here.
  3. If you previously applied the workaround provided by Ivanti for the zero-day vulnerability to your Pulse Connect Secure VPN appliance, you will need to remove it after applying the 9.1R11.4 update. Details on how to do this can be found in the “Workaround” section of this advisory here.


Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.

Adrian Korn

Adrian Korn

Adrian Korn is a seasoned cyber security professional with 7+ years' experience in cyber threat intelligence, threat detection, and security operations. He currently serves as the Manager of Threat Intelligence Research at Arctic Wolf Labs. Adrian has been a guest speaker on intelligence related topics at numerous conferences around the world, including DEF CON's Recon Village, Hackfest, and the Australian OSINT Symposium.
Share :
Table of Contents
Subscribe to our Monthly Newsletter