CVE-2021-22893

What is Ivanti Pulse Connect Secure?

Pulse Connect Secure (PCS), formerly from Pulse Secure and now under Ivanti, is an enterprise SSL VPN platform used by thousands of organizations globally — including US defense contractors, financial institutions, government agencies, and critical infrastructure operators — to provide remote access to corporate networks. As a VPN gateway, Pulse Connect Secure sits at the perimeter of enterprise networks: an attacker who compromises PCS gains persistent network access, the ability to intercept VPN traffic, and a foothold from which to pivot into the internal network. PCS has been a repeated target of nation-state actors precisely because of its role as an internet-exposed authentication gateway.

Overview

CVE-2021-22893 is an authentication bypass/remote code execution vulnerability (CVSS 10.0) in the CGI handler of Pulse Connect Secure. The vulnerability allows an unauthenticated remote attacker to perform remote code execution via crafted requests to the PCS web interface. Mandiant discovered active exploitation by Chinese-linked threat actors UNC2630 and UNC2717 in January 2021 — making this a zero-day exploited for months before disclosure. CISA issued Emergency Directive 21-03 specifically for this vulnerability, requiring all federal agencies to immediately inventory PCS deployments and apply mitigations. Twelve distinct malware families — including novel backdoors — were identified being deployed via exploited PCS devices.

Affected Versions

Technical Details

The vulnerability resides in the CGI-based web interface of Pulse Connect Secure:

• Root cause: Authentication bypass (CWE-287) in the PCS CGI implementation — specific URL paths bypass authentication checks, allowing unauthenticated access to authenticated functionality
• Code execution: The authentication bypass enables execution of arbitrary commands on the PCS appliance, which runs as root
• Pre-authentication: No credentials or existing session required — the exploit targets the login-phase CGI handler
• Scope: Changed — successful exploitation allows access to the underlying PCS operating system and all VPN traffic passing through the appliance
• Malware deployment: Attackers deployed Slightpulse, Bloodmine, Steadypulse, and other novel malware families specifically designed for PCS persistence, surviving firmware upgrades and factory resets in some cases
• Persistent access technique: Some malware families modified the PCS Pulse Integrity Checker to survive integrity verification, requiring offline forensics to detect

Discovery

Discovered by Mandiant (then FireEye Mandiant) during incident response investigations at multiple US government agencies and defense industrial base organizations in early 2021. Mandiant attributed exploitation to UNC2630 (assessed as affiliated with China's MSS) and UNC2717 (a separate Chinese-nexus group), who used the zero-day for espionage. The NSA also attributed exploitation to APT5, a Chinese threat group.

Exploitation Context

CVE-2021-22893 represents one of the most serious VPN vulnerabilities of 2021. The zero-day exploitation by Chinese APT groups targeted US defense contractors, government agencies, financial institutions, and critical infrastructure operators globally. The 12 novel malware families discovered represent a significant investment by the threat actors. CISA's Emergency Directive 21-03 — one of only a handful of emergency directives ever issued — required federal agencies to run the Pulse Secure Integrity Checker Tool on all devices by April 23, 2021, and report results within 24 hours.

Remediation

1. Upgrade to Pulse Connect Secure 9.1R11.4 or later immediately
2. Before upgrading, run the Pulse Security Integrity Checker Tool to detect whether the device has been compromised — some malware survives firmware upgrades
3. Rotate all credentials that may have been exposed to the PCS appliance: VPN user accounts, LDAP/Active Directory service accounts, admin credentials
4. Review PCS logs and authentication logs for unauthorized access during the exposure window (potentially January 2021 or earlier through patching date)
5. Consult the Mandiant Pulse Secure IOC report for specific indicators of compromise associated with UNC2630/UNC2717 activity
6. Consider transitioning from legacy SSL VPN to a zero-trust network access (ZTNA) architecture — the recurring exploitation of VPN appliances reflects their high-value target status as internet-exposed authentication gateways