Pulse Connect Secure / Pulse Policy Secure Admin Command Injection
CVE-2019-11539 is a command injection vulnerability in the admin web interface of Pulse Secure Pulse Connect Secure and Pulse Policy Secure. The issue affects Pulse Connect Secure 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1, as well as Pulse Policy Secure 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1. According to the provided content, an authenticated attacker can use the administrative web interface to inject and execute commands on the appliance. The specific vulnerable function or parameter is not identified in the provided material.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository contains a single Python exploit script (CVE-2019-11539.py) targeting Pulse Secure VPN appliances vulnerable to CVE-2019-11539, a post-authentication remote code execution flaw. The exploit requires valid admin credentials and a web server hosting replacement SSH configuration and authorized_keys files. The script logs into the admin web interface, exploits a command injection vulnerability to execute arbitrary system commands, opens a firewall port, downloads and replaces SSH configuration files, and restarts the SSH daemon to enable root SSH access. The README provides detailed usage instructions, affected versions, and references. The exploit is operational and provides persistent root access if successful. No framework is used; the code is standalone Python. The main attack vector is network-based, targeting the HTTPS admin interface of the VPN appliance. Key endpoints and file paths are hardcoded or configurable in the script.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An admin command injection vulnerability affecting Pulse Connect Secure / Policy Secure.
A command injection vulnerability in Ivanti Pulse Connect Secure and Policy Secure listed as part of historically targeted vulnerabilities.
A high-severity authenticated command injection vulnerability in the admin web interface of Pulse Connect Secure and Pulse Policy Secure.
A remote command injection vulnerability in Pulse Secure VPN referenced as a potential follow-on after credential/key theft, enabling deeper access into the VPN network.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.