Pulse Secure VPN — mass exploitation of CVE-2019-11510

What happened

In April 2019 Pulse Secure published Security Advisory SA44101 describing CVE-2019-11510, a critical vulnerability in its Pulse Connect Secure VPN product. The vulnerability allowed an unauthenticated attacker to read arbitrary files from the appliance — including the system credential files stored in the VPN’s configuration. With the credentials extracted from the file-read vulnerability, an attacker could then authenticate to the VPN as a legitimate user and access the corporate network behind it. The severity score was a maximum 10 on the CVSS scale.

The patch was available from April 2019. By the third quarter of 2019, security researchers including Bad Packets had identified over 14,500 internet-facing Pulse Secure appliances that had not been patched despite eight-plus months of patch availability. Those unpatched appliances became the initial-access inventory for ransomware operators, nation-state espionage actors, and opportunistic criminals throughout 2019, 2020, and beyond.

The most high-profile criminal victim was Travelex, the currency-exchange operator, which suffered a Sodinokibi (REvil) ransomware attack executed on New Year’s Eve 2019. Travelex’s systems were offline for weeks during January 2020; the company reportedly paid $2.3 million in ransom and was eventually acquired out of administration in August 2020, with the attack widely cited as a contributing factor in its financial collapse. The entry point was an unpatched Pulse Secure appliance.

US federal agencies fared poorly. CISA issued an emergency directive in April 2020 requiring agencies to audit their Pulse Secure VPN configurations and patch, but found that numerous agencies were still running vulnerable versions. The NSA and CISA subsequently issued advisories specifically naming Chinese state-sponsored actors (APT5 / Manganese) exploiting the same vulnerability against US defence contractors and critical infrastructure.

How it worked

CVE-2019-11510 is a pre-authentication arbitrary file read vulnerability in Pulse Connect Secure VPN appliances running versions 9.0R1 through 9.0R3.3, 8.1R1 through 8.1R15.1, 8.2R1 through 8.2R12.1, and 8.3R1 through 8.3R7.1. The vulnerability exists in the URL handling of the appliance’s web interface. A specially crafted request to a specific URL path — without authentication — causes the appliance to return the contents of a specified file on the system. The files accessible include /etc/passwd and, critically, the cache file at /data/runtime/mtmp/lmdb/datacache/data.mdb, which contains session tokens and, in configurations common before the patch, cached user credential data.

With cached credentials or session tokens extracted via the file read, an attacker could authenticate to the VPN and gain the same internal network access as a legitimate remote user. From that position, the next steps followed the standard enterprise intrusion playbook: credential escalation, Active Directory reconnaissance, lateral movement to high-value targets, and in the ransomware cases, deployment of the encryption payload.

Nation-state actors used the same initial-access pathway but for different purposes. APT5, a Chinese group focused on telecommunications and technology theft, used Pulse Secure access to conduct sustained espionage inside defence contractor networks. Iranian actors used it for both espionage and pre-positioning in US infrastructure. The common thread is that a single unpatched internet-facing appliance was sufficient initial access for a range of adversary types operating for different objectives.

The exploitation was made significantly easier by the wide availability of scanning tools and public proof-of-concept code for CVE-2019-11510. By late 2019 the vulnerability had been added to multiple commercial and open-source vulnerability scanners, and a large population of organisations’ unpatched Pulse Secure appliances was publicly discoverable within hours of initiating a scan. The time-to-exploit for a new victim was, for a moderately capable attacker, a matter of minutes once the target was identified.

Timeline

• April 2019 — Pulse Secure publishes patch and advisory for CVE-2019-11510; patch available from this date.
• August 2019 — Public proof-of-concept exploit code published; active exploitation begins in the wild.
• Q3–Q4 2019 — Bad Packets identifies 14,500+ unpatched internet-facing Pulse Secure appliances. REvil/Sodinokibi and other ransomware affiliates begin systematic exploitation of the unpatched population.
• 31 December 2019 — Travelex ransomware attack via unpatched Pulse Secure appliance; currency-exchange operations offline for weeks in January 2020. $2.3 million ransom reported paid.
• April 2020 — CISA issues Emergency Directive 20-03 requiring US federal agencies to immediately patch or disconnect Pulse Secure VPN appliances.
• 2020 — CISA Advisory AA20-010A documents continued exploitation after eight-plus months of patch availability. Conti ransomware affiliates named as using Pulse Secure access for multiple healthcare and financial sector intrusions.
• 2021 — NSA/CISA joint advisory names APT5 and other Chinese state-sponsored actors using Pulse Secure access against US defence industrial base.
• 2021 — Ivanti (which acquired Pulse Secure) discovers additional zero-day vulnerabilities in the same product (CVE-2021-22893), prompting a second wave of emergency advisories and reinforcing the pattern of unpatched edge devices as persistent attack surface.
• 2021 onwards — CISA’s Known Exploited Vulnerabilities (KEV) catalogue is launched, with Pulse Secure CVEs among the founding entries; all US federal agencies required to patch KEV entries on a binding deadline schedule.

What defenders should learn

The Pulse Secure incident is the foundational case for a principle that has since become a cornerstone of US federal cyber policy: internet-facing edge devices — VPN concentrators, firewalls, load balancers, remote-access appliances — are the highest-priority patching target in any enterprise environment. These devices sit between the internal network and the internet. A vulnerability in one of them that allows pre-authentication remote code execution or file read is not a routine software vulnerability; it is a direct breach of the perimeter. Organisations that deprioritise patching of these devices because they are “network infrastructure” rather than “software” are making a category error with severe consequences.

The 14,500+ unpatched appliances in the public scan data eight months after patch release is the specific failure. A patch that has been available for eight months and not applied represents a choice — usually a choice made without full awareness of the consequences. Asset management programmes that do not include internet-facing appliance firmware and software in their vulnerability scanning inventory cannot identify this exposure. CISA’s subsequent Known Exploited Vulnerabilities catalogue is a direct policy response: if a vulnerability is being actively exploited in the wild, it is categorically higher priority than the overall CVSS score suggests, and it requires a binding deadline for remediation rather than best-effort inclusion in the next quarterly patching cycle.

The Travelex outcome illustrates the business-continuity consequence for a single company. A single unpatched VPN appliance — one device — was the entry point for ransomware that effectively destroyed a global business with thousands of employees. The asset was not obscure: Pulse Secure VPN appliances are prominent, widely-used, high-value infrastructure. The patch was available. The cost of patching it was low. The cost of not patching it turned out to be the business itself.

For organisations managing edge infrastructure: inventory everything, scan from the outside to verify what is actually exposed, and treat firmware patching of internet-facing devices as equivalent in urgency to patching actively exploited software vulnerabilities — because it is.