What is CVE-2019-11510?

CVE-2019-11510 is a critical-severity vulnerability in N/a. CVSS score: 9.9/10. Published 2019-05-08.

How severe is CVE-2019-11510?

Critical severity. CVSS v3 base score is 9.9 out of 10.

Is CVE-2019-11510 known to be exploited?

Yes. CVE-2019-11510 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), indicating it is being actively exploited. 105 public proof-of-concept repositories are indexed.

Vulnerability in N/a

CVE-2019-11510

In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .

EPSS: 0.945 (100.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.9 (Critical). Vector: CVSS:3.0/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N.

Affected products

N/a — versions n/a

CISA KEV (Known Exploited Vulnerabilities)

This CVE is on the CISA KEV catalog, added on 2021-11-03. CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.

BOD 22-01 due date: 2022-05-03.

Required action: Apply updates per vendor instructions.

Known ransomware campaign use: yes.

Public proof-of-concept exploits

References

kb.pulsesecure.net/ (x_refsource_MISC)
kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/ (x_refsource_CONFIRM)
108073 (vdb-entry, x_refsource_BID)
psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010 (x_refsource_CONFIRM)
packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-… (x_refsource_MISC)
badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-115… (x_refsource_MISC)
packetstormsecurity.com/files/154231/Pulse-Secure-SSL-VPN-File-Disclosure-NSE.h… (x_refsource_MISC)
i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like… (x_refsource_MISC)
devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-v… (x_refsource_MISC)
[guacamole-user] 20190912 Re: [Guacamole hack attack?] (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2019-11510?: CVE-2019-11510 is a critical-severity vulnerability in N/a. CVSS score: 9.9/10. Published 2019-05-08.
How severe is CVE-2019-11510?: Critical severity. CVSS v3 base score is 9.9 out of 10.
Is CVE-2019-11510 known to be exploited?: Yes. CVE-2019-11510 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), indicating it is being actively exploited. 105 public proof-of-concept repositories are indexed.