CVE-2021-22893
CVE-2021-22893 is a critical-severity vulnerability in Ivanti Connect Secure with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-416.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- CVSS v2: 7.5
- EPSS exploit prediction: 47% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2021-10025
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-416
- Affected product: Ivanti Connect Secure
- Published:
- Last modified:
Description
Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.
Pulse Connect Secure Authentication Bypass Enables Unauthenticated Remote Code Execution
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2021-22893 is a critical authentication bypass vulnerability in Pulse Connect Secure (now Ivanti Connect Secure) that exposes the Windows File Share Browser and Pulse Secure Collaboration features to unauthenticated attackers. Successful exploitation grants remote arbitrary code execution on the VPN gateway. The vulnerability carries a CVSS v3.1 score of 10.0 (Critical) and has been actively exploited in the wild since at least late 2021.
Background
Pulse Connect Secure is a widely deployed SSL VPN solution used by enterprises to provide remote access to internal resources. The product includes auxiliary features such as the Windows File Share Browser, which allows users to browse Windows SMB shares through the VPN portal, and Pulse Secure Collaboration, which enables file sharing and meeting functionality. In April 2021, Ivanti (then Pulse Secure) disclosed that these features exposed an authentication bypass flaw that could be chained to achieve unauthenticated remote code execution. The issue was subsequently added to CISA's Known Exploited Vulnerabilities catalog and the EU Vulnerability Database.
Root Cause
The underlying weakness is classified as CWE-416: Use After Free. A memory management defect in the handling of requests to the Windows File Share Browser and Collaboration components allows an attacker to manipulate heap memory after it has been freed. By carefully crafting requests, an attacker can bypass authentication checks and inject malicious input that leads to code execution within the context of the gateway appliance. The vulnerability does not require valid credentials or user interaction, and it is exploitable over the network with low attack complexity.
Impact
The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H reflects the maximum severity of this flaw:
- Attack Vector (AV:N): The vulnerability is exploitable remotely over the network.
- Attack Complexity (AC:L): No special conditions are required beyond a standard deployment.
- Privileges Required (PR:N): The attacker needs no authentication.
- User Interaction (UI:N): No victim interaction is necessary.
- Scope (S:C): A successful compromise of the gateway can affect resources beyond the vulnerable component, such as downstream internal systems accessible via the VPN.
- Confidentiality, Integrity, Availability (C:H/I:H/A:H): Complete loss of all three security properties is possible.
Because SSL VPN appliances sit at the network perimeter and often bridge untrusted external traffic directly into corporate environments, a full gateway compromise typically grants the attacker a privileged foothold from which to pivot, exfiltrate data, or deploy additional tooling.
Exploitation Walkthrough
Ethics Notice: The following description is provided for defensive awareness only. No working exploit code is included, and the information is derived from publicly disclosed research and vendor advisories.
The attack surface is the web-facing interface of the Pulse Connect Secure gateway. The general exploitation flow observed in the wild involves:
-
Reconnaissance: The attacker identifies an exposed Pulse Connect Secure appliance, often through internet-wide scanning or targeted intelligence gathering.
-
Authentication Bypass: The attacker sends a crafted HTTP request to endpoints associated with the Windows File Share Browser or Collaboration features. The request triggers the use-after-free condition, corrupting authentication state and allowing the attacker to access restricted functionality without credentials.
-
Code Execution: With authentication bypassed, the attacker leverages the compromised component to upload or execute arbitrary code on the appliance. In documented incidents, this has included webshells, credential harvesters, and persistent backdoors.
-
Post-Exploitation: From the gateway, the attacker may move laterally into the internal network, intercept VPN sessions, or establish long-term persistence.
FireEye Mandiant and CISA have published detailed threat-intelligence reports linking exploitation of this vulnerability to suspected advanced persistent threat activity.
Affected and Patched Versions
According to the vendor advisory and NVD CPE data, the following product lines are affected:
- Ivanti (Pulse) Connect Secure 9.0 — multiple releases including 9.0R1 through 9.0R6.0
- Ivanti (Pulse) Connect Secure 9.1 — multiple releases including 9.1R1 through 9.1R11.3
The vendor's initial disclosure notes that the vulnerable features are present in 9.0R3/9.1R1 and higher. Administrators should consult the official Pulse Secure Security Advisory SA44784 for the definitive list of affected releases and the corresponding patched firmware versions.
Remediation
-
Upgrade Firmware: Apply the vendor-supplied patch as documented in Security Advisory SA44784. Ensure the upgrade path is validated against the vendor's release notes.
-
Disable Vulnerable Features (Temporary): If patching is not immediately possible, consider disabling the Windows File Share Browser and Pulse Secure Collaboration features until the appliance can be updated.
-
Network Segmentation: Restrict management and VPN gateway interfaces to known IP ranges where possible. Use external firewalls or access control lists to limit exposure.
-
Compensating Controls:
- Enable multi-factor authentication (MFA) for all VPN sessions where supported.
- Monitor gateway logs for anomalous access to
/dana-na/or feature-specific endpoints. - Deploy an intrusion detection system (IDS) or web application firewall (WAF) with signatures for known Pulse Secure exploitation patterns.
Detection
- Log Analysis: Review access logs for unusual HTTP requests to Windows File Share Browser and Collaboration endpoints, especially from unexpected source IPs or with non-standard user-agent strings.
- File Integrity: Check the appliance filesystem for unauthorized webshells, modified system binaries, or unexpected scheduled tasks.
- Network Traffic: Monitor outbound connections from the VPN gateway to external command-and-control infrastructure.
- Threat Intelligence: Cross-reference observed IOCs against FireEye and CISA advisories related to this vulnerability.
Assessment
With an EPSS score of 0.47172 (98.69th percentile) and confirmed inclusion in both the CISA KEV catalog (added 2021-11-03) and the EU Vulnerability Database, CVE-2021-22893 represents one of the highest-risk VPN vulnerabilities disclosed in recent years. The score indicates that, historically, vulnerabilities with similar characteristics have a roughly 47% probability of being exploited in the wild within 30 days of disclosure — and in this case, exploitation was confirmed even before formal cataloging.
Key takeaways:
-
Perimeter appliances are high-value targets: A single unpatched SSL VPN gateway can collapse an organization's network boundary. Patching cycles for edge infrastructure should be aggressive.
-
Feature surface matters: Auxiliary features such as file browsing and collaboration, while convenient, expand the attack surface. Organizations should evaluate whether such features are strictly necessary and disable unused modules.
References
- https://blog.pulsesecure.net/pulse-connect-secure-security-update/
- https://kb.cert.org/vuls/id/213092
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/
- https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
- https://www.kb.cert.org/vuls/id/213092
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22893
Frequently asked questions
- What is CVE-2021-22893?
- Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.
- How severe is CVE-2021-22893?
- CVE-2021-22893 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-22893 being actively exploited?
- Yes. CVE-2021-22893 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-22893?
- CVE-2021-22893 primarily affects Ivanti Connect Secure. In total, 36 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-22893?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-22893 have an EU (EUVD) identifier?
- Yes. CVE-2021-22893 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-10025. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2021-22893 published?
- CVE-2021-22893 was published on 2021-04-23 and last updated on 2026-06-17.
References
- https://blog.pulsesecure.net/pulse-connect-secure-security-update/
- https://kb.cert.org/vuls/id/213092
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/
- https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
- https://www.kb.cert.org/vuls/id/213092
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22893
Affected products (36)
- cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.0:r1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.0:r2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.0:r2.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.0:r3:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.0:r3.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.0:r3.2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.0:r3.3:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.0:r3.5:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.0:r4:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.0:r4.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.0:r5.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.0:r6.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:-:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r10.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r10.2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r11.0:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r11.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r11.3:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r3:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r4:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r4.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r4.2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r4.3:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r5:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r6:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r7:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r8:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r8.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r8.2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r8.4:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r9:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r9.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:9.1:r9.2:*:*:*:*:*:*
More vulnerabilities in Ivanti Connect Secure
- CVE-2019-11510 — Critical (CVSS 10.0): In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an…
- CVE-2016-4787 — Critical (CVSS 10.0): Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4r13.4 allow remote…
- CVE-2025-22467 — Critical (CVSS 9.9): A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker…
- CVE-2024-21894 — Critical (CVSS 9.8): A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows…
- CVE-2018-20813 — Critical (CVSS 9.8): An input validation issue has been found with login_meeting.cgi in Pulse Secure Pulse Connect Secure 8.3RX before 8.3R2.
- CVE-2018-20810 — Critical (CVSS 9.8): Session data between cluster nodes during cluster synchronization is not properly encrypted in Pulse Secure Pulse…
All CVEs affecting Ivanti Connect Secure →
Other CWE-416 (Use After Free) vulnerabilities
- CVE-2026-13782 — Critical (CVSS 10.0): Use after free in Browser in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the…
- CVE-2026-4725 — Critical (CVSS 10.0): Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149…
- CVE-2026-4688 — Critical (CVSS 10.0): Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox…
- CVE-2025-24085 — Critical (CVSS 10.0): A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.3 and iPadOS 18.3,…
- CVE-2024-43102 — Critical (CVSS 10.0): Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of…
- CVE-2021-32495 — Critical (CVSS 10.0): Radare2 has a use-after-free vulnerability in pyc parser's get_none_object function. Attacker can read freed memory…