CVE-2021-22894

What is Ivanti Pulse Connect Secure?

Pulse Connect Secure (PCS), now part of Ivanti, is a widely-deployed SSL VPN appliance used by enterprises and government agencies to provide remote network access. Because PCS sits at the network perimeter processing all remote employee connections, it is a high-value target — compromise gives attackers persistent access to the internal network, ability to intercept credentials, and a foothold for lateral movement. Pulse Connect Secure became a major exploitation focus in 2019 (CVE-2019-11510, pre-auth file read) and again in 2021, when multiple vulnerabilities including a series of authenticated and unauthenticated RCE bugs were exploited by Chinese state-sponsored actors in targeted campaigns against defense, government, and critical infrastructure organizations.

Overview

CVE-2021-22894 is a buffer overflow vulnerability in the Collaboration Suite component of Ivanti Pulse Connect Secure that allows a remote authenticated user to execute arbitrary code as root via a maliciously crafted meeting room. It is one of four vulnerabilities in the April 2021 Pulse Secure exploitation cluster (alongside CVE-2021-22893, CVE-2021-22899, and CVE-2021-22900), all actively exploited by Chinese state-sponsored threat actors (UNC2630 and UNC2717) against defense industrial base, government, and critical infrastructure organizations. CISA issued Emergency Directive ED 21-03 in response to this exploitation campaign. Patches were released in PCS 9.1R11.4 and later.

Affected Versions

Technical Details

• Root cause: Buffer overflow in the PCS Collaboration Suite component — when handling a specially crafted meeting room request from an authenticated user, the component fails to validate input size against the destination buffer, resulting in a heap or stack overflow that corrupts adjacent memory and redirects code execution
• Root code execution: Exploitation achieves code execution as the root user on the PCS appliance — providing full control of the VPN gateway, access to internal network routing, ability to extract credentials, and persistent backdoor installation
• Authentication required (PR:L): CVSS PR:L means any valid PCS user account (VPN credentials) is sufficient; attackers can obtain VPN credentials through phishing, credential stuffing with leaked credentials, or through prior exploitation of the pre-auth vulnerability CVE-2021-22893
• Chained exploitation: Chinese APT actors chained the pre-auth CVE-2021-22893 (CVE-2021-22893 was a pre-auth file read enabling credential extraction) with authenticated follow-on RCEs to achieve persistent root access; CVE-2021-22894 could be used after initial credential theft
• CISA ED 21-03: The scale of exploitation prompted CISA to issue Emergency Directive ED 21-03 requiring federal agencies to immediately run the Pulse Secure Integrity Checker Tool (ICT) and apply patches — an unusual level of urgency reflecting confirmed espionage against government networks

Discovery

Discovered and disclosed as part of the coordinated Pulse Secure security research and incident response in April 2021. FireEye (Mandiant) and Pulse Secure (now Ivanti) jointly published advisory details. The exploitation was attributed to Chinese government-linked threat actors UNC2630 (linked to APT5) and UNC2717 targeting defense industrial base and critical infrastructure.

Exploitation Context

The 2021 Pulse Connect Secure exploitation campaign was one of the most significant VPN exploitation events of the era. Chinese APT actors used a combination of newly discovered vulnerabilities, previously known bugs, and persistence mechanisms that survived VPN firmware upgrades to maintain long-term access to defense contractor and government networks. CVE-2021-22894 represents one of the secondary exploitation paths available after initial access: once an attacker has PCS credentials (harvested through phishing or via CVE-2021-22893 file read), CVE-2021-22894 provides a path to root-level persistence on the VPN appliance itself — enabling interception of all VPN traffic and persistent network presence. The long remediation deadline (May 2022) and KEV addition reflect the complexity of patching internet-facing VPN appliances in production.

Remediation

1. Upgrade Pulse Connect Secure to PCS 9.1R11.4 or later — addresses all four CVEs in the April 2021 cluster
2. Run the Pulse Secure Integrity Checker Tool (ICT) before and after patching to identify signs of compromise, including unauthorized file modifications and persistence mechanisms that survive firmware upgrades
3. Per CISA ED 21-03: if the ICT finds unexpected findings, assume compromise and follow the Emergency Directive guidance for incident response
4. Audit VPN user accounts and authentication logs for anomalous access patterns — credential compromise frequently precedes exploitation of authenticated PCS vulnerabilities
5. Implement multi-factor authentication on all PCS user accounts to raise the bar for authenticated exploitation
6. Consider PCS network segmentation — restrict which internal resources VPN-authenticated users can reach, implementing least-privilege access to limit the blast radius of VPN appliance compromise