CVE-2021-22899

What is Ivanti Pulse Connect Secure?

Pulse Connect Secure (PCS) is an enterprise SSL VPN platform providing remote network access for large organizations. VPN appliances like PCS are attractive targets because they process all remote access traffic, authenticate users with domain credentials, and have privileged network access to internal resources. Command injection vulnerabilities in VPN administrative interfaces are particularly dangerous because they allow authenticated users to execute arbitrary OS commands on the VPN appliance — bypassing the VPN's role as a security boundary and enabling full network interception and persistent access. In 2021, Chinese state-sponsored actors conducted a sustained exploitation campaign against Pulse Connect Secure installations at defense, government, and critical infrastructure organizations worldwide.

Overview

CVE-2021-22899 is a command injection vulnerability (CWE-77) in Ivanti Pulse Connect Secure that allows a remote authenticated user to execute arbitrary commands as root on the PCS appliance via maliciously crafted Windows File Resource Profile settings. This authenticated command injection is part of the April 2021 Pulse Secure exploitation cluster (alongside CVE-2021-22893, CVE-2021-22894, CVE-2021-22900) actively exploited by Chinese APT groups UNC2630 and UNC2717 against high-value targets. CISA issued Emergency Directive ED 21-03 in response. Patches were released in PCS 9.1R11.4 and later in May 2021. CISA added CVE-2021-22899 to the KEV catalog in November 2021.

Affected Versions

Technical Details

• Root cause: Command injection (CWE-77) in the Windows File Resource Profiles feature of PCS — the VPN appliance's configuration interface for Windows file access does not adequately sanitize user-supplied input before incorporating it into OS commands; an authenticated user can inject additional commands that execute on the PCS appliance's underlying operating system
• Root execution: Command injection in a privileged PCS process achieves code execution as root — full control of the VPN appliance, including access to all VPN credentials in memory, session tokens, network routing tables, and the ability to install persistent backdoors
• Windows File Resource Profiles: This PCS feature allows VPN administrators and users (depending on configuration) to configure Windows file sharing resources; the injection point is within the file resource path or configuration parameters handled by PCS
• Chaining with pre-auth CVE-2021-22893: The pre-auth file read vulnerability CVE-2021-22893 enabled attackers to extract VPN user credentials without authentication; those credentials were then used to exploit authenticated bugs like CVE-2021-22899 for root access
• APT exploitation chain: UNC2630/UNC2717 (Chinese APT) combined multiple PCS vulnerabilities in a sophisticated multi-stage attack: pre-auth credential extraction → authenticated command execution → persistent backdoor installation that survived firmware updates

Discovery

Identified as part of the coordinated Pulse Secure security investigation in April 2021. FireEye (Mandiant) and Pulse Secure jointly published details. The exploitation was attributed to Chinese government-affiliated threat actors conducting targeted espionage against defense contractors, government agencies, and financial institutions.

Exploitation Context

CVE-2021-22899 is most significant in the context of the broader 2021 Pulse Secure exploitation campaign. Chinese APT actors combined multiple CVEs from the same advisory to achieve deep and persistent compromise: they used file read vulnerabilities to steal credentials, authenticated command injection to gain root access, and then installed persistence mechanisms on the VPN appliance that survived firmware upgrades — allowing them to re-establish access even after victims applied patches. The CISA Emergency Directive ED 21-03 required federal agencies to run Pulse Secure's Integrity Checker Tool specifically because many organizations had been persistently compromised through this chain. The November 2021 KEV addition and long May 2022 deadline reflect CISA's assessment that organizations were still actively at risk.

Remediation

1. Apply PCS 9.1R11.4 or later patches — addresses CVE-2021-22899 and all related April 2021 cluster vulnerabilities
2. Run the Pulse Secure Integrity Checker Tool (ICT) to identify signs of compromise before and after patching — persistent backdoors installed via command injection may survive the patch
3. Follow CISA ED 21-03 guidance: if ICT findings are anomalous, treat the device as compromised and follow incident response procedures
4. Implement MFA on all PCS VPN user accounts — reduces the impact of credential theft that enables authenticated exploitation
5. Restrict Windows File Resource Profile configuration permissions to administrative accounts only if end-user configuration is not required
6. After patching, audit VPN session logs, PCS admin activity, and internal network access from VPN addresses for anomalous patterns indicating pre-patch compromise