CVE-2019-11510
CVE-2019-11510 is a critical-severity vulnerability in Ivanti Connect Secure with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-22.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- CVSS v2: 7.5
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2019-3183
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-22
- Affected product: Ivanti Connect Secure
- Published:
- Last modified:
Description
In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .
CVE-2019-11510: Pulse Secure Connect Secure Arbitrary File Reading Vulnerability
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2019-11510 |
| Severity | Critical (CVSS v3.1 10.0 / CVSS v2 7.5) |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) |
| EPSS | 0.99999 (99.999th percentile) |
| KEV | Listed (since 2021-11-03) |
| EU Exploited | Yes (since 2021-11-03) |
| Affected | Pulse Secure / Ivanti Connect Secure 8.2, 8.3, 9.0 (unpatched revisions) |
| Patched | 8.2R12.1, 8.3R7.1, 9.0R3.4 |
Summary
CVE-2019-11510 is a pre-authentication arbitrary file reading vulnerability in Pulse Secure Connect Secure (now Ivanti Connect Secure) SSL VPN gateways. An unauthenticated remote attacker can exploit a path traversal flaw via a specially crafted URI to read arbitrary files from the underlying operating system, including session files, credentials, and VPN configurations.
Background
Pulse Secure Connect Secure is a widely deployed SSL VPN solution used by enterprises and government agencies to provide remote access to corporate networks. In 2019, security researchers discovered that the appliance's web interface failed to properly sanitize user-supplied path components, enabling directory traversal outside the intended web root. This vulnerability was subsequently added to CISA's Known Exploited Vulnerabilities (KEV) catalog, and evidence of widespread exploitation emerged shortly after public disclosure.
Root Cause
The vulnerability is classified as CWE-22: Path Traversal. The affected versions of the Connect Secure web interface do not adequately validate or sanitize URI path parameters before using them to construct filesystem paths. By injecting sequences such as ../, an attacker can escape the intended directory boundary and access files located anywhere on the appliance's filesystem. The flaw exists in a URI handler that is reachable without authentication, making it trivially exploitable by any remote actor.
Impact
The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H yields a score of 10.0 (Critical). The metrics reflect:
- Attack Vector (AV): Network — exploitable remotely over the internet.
- Attack Complexity (AC): Low — no special conditions or advanced techniques required.
- Privileges Required (PR): None — no credentials or prior access needed.
- User Interaction (UI): None — fully automated exploitation possible.
- Scope (S): Changed — the vulnerable component impacts resources beyond its own security boundary.
- Confidentiality, Integrity, Availability (C/I/A): High — complete compromise of confidentiality, integrity, and availability is possible.
Practically, successful exploitation allows an attacker to extract sensitive files, including plain-text credentials, session cookies, and VPN configuration data, which can enable further network compromise.
Exploitation Walkthrough
Ethics caveat: The following description is provided for defensive awareness only. No working exploit code is included. Attackers have actively exploited this vulnerability in the wild; defenders should prioritize patching and detection.
- Reconnaissance: Identify publicly exposed Pulse Secure / Ivanti Connect Secure appliances, typically on TCP 443.
- Path traversal probe: Send a crafted HTTP request containing directory traversal sequences in specific URI parameters known to reach the vulnerable handler.
- File extraction: If the appliance is vulnerable, the server returns the contents of arbitrary files (e.g., session files, configuration backups, or system logs).
- Credential harvesting: Extracted session files may contain unencrypted or weakly protected session tokens that can be reused to impersonate legitimate users.
- Lateral movement: Obtained credentials and VPN configurations may facilitate further pivoting into the internal network.
Affected and Patched Versions
| Branch | Affected (unpatched) | Patched |
|---|---|---|
| 8.2 | 8.2R1.0 through 8.2R12.0 | 8.2R12.1 and later |
| 8.3 | 8.3R1 through 8.3R7 | 8.3R7.1 and later |
| 9.0 | 9.0R1 through 9.0R3.3 | 9.0R3.4 and later |
Versions earlier than 8.2R1.0 are also likely affected but are not explicitly listed in the NVD CPE data.
Remediation
- Upgrade immediately: Apply the latest patched firmware revision for your branch (8.2R12.1+, 8.3R7.1+, or 9.0R3.4+).
- Rotate credentials: After patching, rotate all administrative and user credentials, as well as any API tokens or VPN certificates that may have been exposed.
- Review session logs: Examine authentication and session logs for anomalous access patterns preceding the patch date.
- Compensating controls: If immediate patching is not feasible, restrict management and VPN portal access to trusted IP ranges via firewall rules or network segmentation. Note that this does not eliminate the vulnerability.
- Enable MFA: Enforce multi-factor authentication for VPN access to reduce the value of stolen session data.
Detection
- Network monitoring: Watch for HTTP requests to the vulnerable URI path containing traversal sequences (
../) or anomalous return of non-HTML content from the appliance. - File integrity: Monitor for unexpected reads of sensitive files (e.g.,
/data/runtime/tmp/relay, session databases, or configuration backups). - Log review: Inspect appliance access logs for repeated or abnormal GET requests to the vulnerable endpoint, especially from unexpected source IPs.
- Threat intelligence: Cross-reference external IPs hitting your appliance with indicators of compromise associated with CVE-2019-11510.
Assessment
With an EPSS score of 0.99999 and inclusion in the CISA KEV catalog, CVE-2019-11510 is among the most reliably exploited vulnerabilities in the enterprise VPN landscape. The near-perfect EPSS percentile indicates that threat actors are actively and successfully weaponizing this flaw at scale. Organizations still running unpatched appliances should treat remediation as a critical-priority incident, not merely a routine patch cycle.
Key lessons:
- Input validation is a perimeter control: Even a single unauthenticated URI handler lacking path sanitization can lead to total system compromise.
- Legacy VPN appliances are high-value targets: Remote access gateways sit at the network edge and are continuously probed by opportunistic and targeted actors alike.
References
- http://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html
- http://packetstormsecurity.com/files/154231/Pulse-Secure-SSL-VPN-File-Disclosure-NSE.html
- http://www.securityfocus.com/bid/108073
- https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/
- https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/
- https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
- https://kb.pulsesecure.net/?atype=sa
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
- https://lists.apache.org/thread.html/ff5fa1837b6bd1b24d18a42faa75e165a4573dbe2d434910c15fd08a%40%3Cuser.guacamole.apache.org%3E
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
- https://www.kb.cert.org/vuls/id/927237
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11510
Frequently asked questions
- What is CVE-2019-11510?
- In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .
- How severe is CVE-2019-11510?
- CVE-2019-11510 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2019-11510 being actively exploited?
- Yes. CVE-2019-11510 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2019-11510?
- CVE-2019-11510 primarily affects Ivanti Connect Secure. In total, 37 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2019-11510?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2019-11510 have an EU (EUVD) identifier?
- Yes. CVE-2019-11510 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-3183. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2019-11510 published?
- CVE-2019-11510 was published on 2019-05-08 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html
- http://packetstormsecurity.com/files/154231/Pulse-Secure-SSL-VPN-File-Disclosure-NSE.html
- http://www.securityfocus.com/bid/108073
- https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/
- https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/
- https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
- https://kb.pulsesecure.net/?atype=sa
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
- https://lists.apache.org/thread.html/ff5fa1837b6bd1b24d18a42faa75e165a4573dbe2d434910c15fd08a%40%3Cuser.guacamole.apache.org%3E
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
- https://www.kb.cert.org/vuls/id/927237
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11510
Affected products (37)
- cpe:2.3:a:ivanti:connect_secure:8.2:r1.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r1.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r10.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r11.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r12.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r2.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r3.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r3.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r4.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r4.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r5.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r5.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r6.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r7.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r7.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r8.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r8.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r8.2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r9.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.3:r1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.3:r2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.3:r2.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.3:r3:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.3:r4:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.3:r5:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.3:r5.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.3:r5.2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.3:r6:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.3:r6.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.3:r7:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.0:r1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.0:r2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.0:r2.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.0:r3:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.0:r3.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.0:r3.2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.0:r3.3:*:*:*:*:*:*
More vulnerabilities in Ivanti Connect Secure
- CVE-2021-22893 — Critical (CVSS 10.0): Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the…
- CVE-2016-4787 — Critical (CVSS 10.0): Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4r13.4 allow remote…
- CVE-2025-22467 — Critical (CVSS 9.9): A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker…
- CVE-2024-21894 — Critical (CVSS 9.8): A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows…
- CVE-2018-20813 — Critical (CVSS 9.8): An input validation issue has been found with login_meeting.cgi in Pulse Secure Pulse Connect Secure 8.3RX before 8.3R2.
- CVE-2018-20810 — Critical (CVSS 9.8): Session data between cluster nodes during cluster synchronization is not properly encrypted in Pulse Secure Pulse…
All CVEs affecting Ivanti Connect Secure →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…