CVE-2019-11510

CVE-2019-11510 is a critical-severity vulnerability in Ivanti Connect Secure with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-22.

Key facts

Description

In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .

CVE-2019-11510: Pulse Secure Connect Secure Arbitrary File Reading Vulnerability

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2019-11510
Severity Critical (CVSS v3.1 10.0 / CVSS v2 7.5)
CWE CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
EPSS 0.99999 (99.999th percentile)
KEV Listed (since 2021-11-03)
EU Exploited Yes (since 2021-11-03)
Affected Pulse Secure / Ivanti Connect Secure 8.2, 8.3, 9.0 (unpatched revisions)
Patched 8.2R12.1, 8.3R7.1, 9.0R3.4

Summary

CVE-2019-11510 is a pre-authentication arbitrary file reading vulnerability in Pulse Secure Connect Secure (now Ivanti Connect Secure) SSL VPN gateways. An unauthenticated remote attacker can exploit a path traversal flaw via a specially crafted URI to read arbitrary files from the underlying operating system, including session files, credentials, and VPN configurations.

Background

Pulse Secure Connect Secure is a widely deployed SSL VPN solution used by enterprises and government agencies to provide remote access to corporate networks. In 2019, security researchers discovered that the appliance's web interface failed to properly sanitize user-supplied path components, enabling directory traversal outside the intended web root. This vulnerability was subsequently added to CISA's Known Exploited Vulnerabilities (KEV) catalog, and evidence of widespread exploitation emerged shortly after public disclosure.

Root Cause

The vulnerability is classified as CWE-22: Path Traversal. The affected versions of the Connect Secure web interface do not adequately validate or sanitize URI path parameters before using them to construct filesystem paths. By injecting sequences such as ../, an attacker can escape the intended directory boundary and access files located anywhere on the appliance's filesystem. The flaw exists in a URI handler that is reachable without authentication, making it trivially exploitable by any remote actor.

Impact

The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H yields a score of 10.0 (Critical). The metrics reflect:

  • Attack Vector (AV): Network — exploitable remotely over the internet.
  • Attack Complexity (AC): Low — no special conditions or advanced techniques required.
  • Privileges Required (PR): None — no credentials or prior access needed.
  • User Interaction (UI): None — fully automated exploitation possible.
  • Scope (S): Changed — the vulnerable component impacts resources beyond its own security boundary.
  • Confidentiality, Integrity, Availability (C/I/A): High — complete compromise of confidentiality, integrity, and availability is possible.

Practically, successful exploitation allows an attacker to extract sensitive files, including plain-text credentials, session cookies, and VPN configuration data, which can enable further network compromise.

Exploitation Walkthrough

Ethics caveat: The following description is provided for defensive awareness only. No working exploit code is included. Attackers have actively exploited this vulnerability in the wild; defenders should prioritize patching and detection.

  1. Reconnaissance: Identify publicly exposed Pulse Secure / Ivanti Connect Secure appliances, typically on TCP 443.
  2. Path traversal probe: Send a crafted HTTP request containing directory traversal sequences in specific URI parameters known to reach the vulnerable handler.
  3. File extraction: If the appliance is vulnerable, the server returns the contents of arbitrary files (e.g., session files, configuration backups, or system logs).
  4. Credential harvesting: Extracted session files may contain unencrypted or weakly protected session tokens that can be reused to impersonate legitimate users.
  5. Lateral movement: Obtained credentials and VPN configurations may facilitate further pivoting into the internal network.

Affected and Patched Versions

Branch Affected (unpatched) Patched
8.2 8.2R1.0 through 8.2R12.0 8.2R12.1 and later
8.3 8.3R1 through 8.3R7 8.3R7.1 and later
9.0 9.0R1 through 9.0R3.3 9.0R3.4 and later

Versions earlier than 8.2R1.0 are also likely affected but are not explicitly listed in the NVD CPE data.

Remediation

  1. Upgrade immediately: Apply the latest patched firmware revision for your branch (8.2R12.1+, 8.3R7.1+, or 9.0R3.4+).
  2. Rotate credentials: After patching, rotate all administrative and user credentials, as well as any API tokens or VPN certificates that may have been exposed.
  3. Review session logs: Examine authentication and session logs for anomalous access patterns preceding the patch date.
  4. Compensating controls: If immediate patching is not feasible, restrict management and VPN portal access to trusted IP ranges via firewall rules or network segmentation. Note that this does not eliminate the vulnerability.
  5. Enable MFA: Enforce multi-factor authentication for VPN access to reduce the value of stolen session data.

Detection

  • Network monitoring: Watch for HTTP requests to the vulnerable URI path containing traversal sequences (../) or anomalous return of non-HTML content from the appliance.
  • File integrity: Monitor for unexpected reads of sensitive files (e.g., /data/runtime/tmp/relay, session databases, or configuration backups).
  • Log review: Inspect appliance access logs for repeated or abnormal GET requests to the vulnerable endpoint, especially from unexpected source IPs.
  • Threat intelligence: Cross-reference external IPs hitting your appliance with indicators of compromise associated with CVE-2019-11510.

Assessment

With an EPSS score of 0.99999 and inclusion in the CISA KEV catalog, CVE-2019-11510 is among the most reliably exploited vulnerabilities in the enterprise VPN landscape. The near-perfect EPSS percentile indicates that threat actors are actively and successfully weaponizing this flaw at scale. Organizations still running unpatched appliances should treat remediation as a critical-priority incident, not merely a routine patch cycle.

Key lessons:

  1. Input validation is a perimeter control: Even a single unauthenticated URI handler lacking path sanitization can lead to total system compromise.
  2. Legacy VPN appliances are high-value targets: Remote access gateways sit at the network edge and are continuously probed by opportunistic and targeted actors alike.

References

Frequently asked questions

What is CVE-2019-11510?
In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .
How severe is CVE-2019-11510?
CVE-2019-11510 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2019-11510 being actively exploited?
Yes. CVE-2019-11510 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2019-11510?
CVE-2019-11510 primarily affects Ivanti Connect Secure. In total, 37 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2019-11510?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2019-11510 have an EU (EUVD) identifier?
Yes. CVE-2019-11510 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-3183. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2019-11510 published?
CVE-2019-11510 was published on 2019-05-08 and last updated on 2026-06-17.

References

Affected products (37)

More vulnerabilities in Ivanti Connect Secure

All CVEs affecting Ivanti Connect Secure →

Other CWE-22 (Path Traversal) vulnerabilities

Browse all CWE-22 (Path Traversal) vulnerabilities →