Skip to main content

2019-129: File disclosure vulnerability in Pulse Connect Secure VPN Software

The Australian Signals Directorate’s Australian Cyber Security Centre is aware of a vulnerability that exists in the Pulse Connect Secure Virtual Private Network (VPN) solution.

Alert status
HIGH
Pulse Secure Logo

We advise users to ensure their systems are patched and up-to-date.

The Pulse VPN vulnerability, also known as CVE-2019-11510, was initially disclosed in April 2019 but has resurfaced after multiple reports of exploitation and the disclosure of working exploits available for use on Pastebin and GitHub.

CVE-2019-11510 leaves users open to attack from malicious actors who can exploit this vulnerability to read file contents on devices as well as leverage other vulnerabilities to execute commands.

Complacency is a big risk factor, as malicious actors are already using this exploit with great effect in Australia.

The vulnerability is present in the following Pulse Connect Secure versions:

  • 9.0R1 to 9.0R3.3
  • 8.3R1 to 83.R7
  • 8.2R1 to 8.2R12
  • 8.1R1 to 8.1R15

To report a cybercrime, visit cyber.gov.au.