CVE-2019-11539
CVE-2019-11539 is a high-severity vulnerability in Ivanti Connect Secure with a CVSS 3.x base score of 7.2. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-78.
Key facts
- Severity: High (CVSS 3.x base score 7.2)
- CVSS v2: 6.5
- EPSS exploit prediction: 99% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2019-3210
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-78
- Affected product: Ivanti Connect Secure
- Published:
- Last modified:
Description
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.
CVE-2019-11539: Authenticated Command Injection in Ivanti Pulse Secure Connect Secure and Policy Secure
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2019-11539 |
| CWE | CWE-78 (OS Command Injection) |
| CVSS v2 | 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) |
| CVSS v3 | 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) |
| EPSS | 0.98617 (99.92nd percentile) |
| KEV | Yes (CISA KEV since 2021-11-03) |
| EU Exploited | Yes (since 2021-11-03) |
| Published | 2019-04-26 |
Summary
CVE-2019-11539 is an authenticated command injection vulnerability in the administrative web interface of Ivanti Pulse Secure Connect Secure and Pulse Policy Secure. An attacker with valid administrative credentials can inject and execute arbitrary operating system commands, leading to full system compromise.
Background
Pulse Secure Connect Secure (formerly Pulse Connect Secure) and Pulse Policy Secure are enterprise SSL VPN and network access control solutions widely deployed in corporate environments to provide secure remote access. These appliances are critical perimeter security devices that often sit at the edge of corporate networks, making them high-value targets for attackers.
Root Cause
The vulnerability is classified as CWE-78 (OS Command Injection). The administrative web interface fails to properly sanitize user-supplied input before passing it to underlying system commands or shell interpreters. This insufficient input validation allows an authenticated attacker to inject shell metacharacters and execute arbitrary commands with the privileges of the web application process.
Impact
- CVSS v2 Base Score: 6.5 (Medium) — Network exploitable, low complexity, requires single authentication, with partial impact on confidentiality, integrity, and availability.
- CVSS v3.1 Base Score: 7.2 (High) — Network attack vector, low complexity, high privileges required, no user interaction, leading to high impact on confidentiality, integrity, and availability.
- Successful exploitation grants an authenticated attacker complete control over the appliance, including the ability to modify configuration, access sensitive data, pivot to internal networks, and establish persistent backdoors.
Exploitation Walkthrough
Ethics Note: The following description is provided for defensive purposes only. Attempting to exploit systems without explicit authorization is illegal and unethical.
The vulnerability is triggered through the administrative web interface. An attacker with valid admin credentials can craft malicious input in certain administrative functions that execute system-level commands. The attack path generally involves:
- Authenticating to the admin web interface
- Navigating to a functionality that invokes backend system commands
- Injecting shell metacharacters into input fields
- The appliance executes the command, returning output or establishing further control
Because this requires admin credentials, the attack surface is primarily limited to credential compromise scenarios or insider threats. However, given the device's privileged network position, successful exploitation has catastrophic consequences.
Affected and Patched Versions
Affected versions:
- Ivanti Pulse Connect Secure: 8.1RX through 8.1R15.0, 8.2RX through 8.2R12.0, 8.3RX through 8.3R7.0, 9.0RX through 9.0R3.3
- Ivanti Pulse Policy Secure: 5.1RX through 5.1R15.0, 5.2RX through 5.2R12.0, 5.3RX through 5.3R12.0, 5.4RX through 5.4R7.0, 9.0RX through 9.0R3.1
Patched versions:
- Pulse Connect Secure: 9.0R3.4, 8.3R7.1, 8.2R12.1, 8.1R15.1
- Pulse Policy Secure: 9.0R3.2, 5.4R7.1, 5.3R12.1, 5.2R12.1, 5.1R15.1
Remediation
- Immediate Upgrade: Apply the patched versions listed above without delay. Given the KEV status and active exploitation, this is a critical priority.
- Network Segmentation: Restrict administrative access to the web interface to trusted management networks only. Do not expose the admin interface to the internet.
- Credential Hardening: Enforce strong, unique passwords for admin accounts and enable multi-factor authentication (MFA) if supported.
- Monitoring: Implement logging and monitoring for admin interface access and command execution patterns.
- Compensating Controls: If patching is immediately impossible, consider placing the appliance behind a Web Application Firewall (WAF) with strict input validation rules, though this is not a complete substitute for patching.
Detection
- Monitor web server and system logs for unusual command execution patterns from the admin interface
- Alert on unauthorized access attempts or privilege escalation on the appliance
- Review network traffic for unexpected outbound connections from the VPN appliance
- Check for indicators of compromise (IoCs) such as modified system files, unexpected cron jobs, or new user accounts
- Use CISA's known exploited vulnerability catalog to verify your exposure status
Assessment
This vulnerability carries an extremely high EPSS score of 0.98617 (99.92nd percentile), indicating near-certain active exploitation in the wild. Its presence on the CISA KEV catalog and EU exploited vulnerability database confirms it has been weaponized by threat actors. The primary lessons are: (1) administrative interfaces on security appliances must implement strict input validation and parameterized commands, and (2) network security devices themselves are high-value targets—compromising them neutralizes the very security they are meant to provide.
References
- http://packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/155277/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
- http://packetstormsecurity.com/files/162092/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
- http://www.securityfocus.com/bid/108073
- https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/
- https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
- https://www.kb.cert.org/vuls/id/927237
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11539
Frequently asked questions
- What is CVE-2019-11539?
- In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.
- How severe is CVE-2019-11539?
- CVE-2019-11539 has a CVSS 3.x base score of 7.2, rated high severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2019-11539 being actively exploited?
- Yes. CVE-2019-11539 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2019-11539?
- CVE-2019-11539 primarily affects Ivanti Connect Secure. In total, 138 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2019-11539?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2019-11539 have an EU (EUVD) identifier?
- Yes. CVE-2019-11539 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-3210. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2019-11539 published?
- CVE-2019-11539 was published on 2019-04-26 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/155277/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
- http://packetstormsecurity.com/files/162092/Pulse-Secure-VPN-Arbitrary-Command-Execution.html
- http://www.securityfocus.com/bid/108073
- https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/
- https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
- https://www.kb.cert.org/vuls/id/927237
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11539
Affected products (138)
- cpe:2.3:a:ivanti:connect_secure:8.1:-:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r1.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r1.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r10.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r11.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r11.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r12.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r12.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r13.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r14.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r2.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r2.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r3.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r3.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r3.2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r4.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r4.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r5.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r6.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r7:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r7.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r8.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r9.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r9.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.1:r9.2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:*:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r1.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r1.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r10.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r11.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r12.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r2.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r3.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r3.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r4.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r4.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r5.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r5.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:8.2:r6.0:*:*:*:*:*:*
More vulnerabilities in Ivanti Connect Secure
- CVE-2021-22893 — Critical (CVSS 10.0): Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the…
- CVE-2019-11510 — Critical (CVSS 10.0): In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an…
- CVE-2016-4787 — Critical (CVSS 10.0): Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4r13.4 allow remote…
- CVE-2025-22467 — Critical (CVSS 9.9): A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker…
- CVE-2024-21894 — Critical (CVSS 9.8): A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows…
- CVE-2018-20813 — Critical (CVSS 9.8): An input validation issue has been found with login_meeting.cgi in Pulse Secure Pulse Connect Secure 8.3RX before 8.3R2.
All CVEs affecting Ivanti Connect Secure →
Other CWE-78 (OS Command Injection) vulnerabilities
- CVE-2026-56004 — Critical (CVSS 10.0): A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by…
- CVE-2026-56415 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is…
- CVE-2026-56413 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens…
- CVE-2026-49869 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in…
- CVE-2026-49261 — Critical (CVSS 10.0): MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through…
- CVE-2026-10520 — Critical (CVSS 10.0): An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a…