CVE-2021-22900

What is Ivanti Pulse Connect Secure?

Pulse Connect Secure (PCS), now part of Ivanti, is an enterprise SSL VPN platform providing remote access for corporate networks. VPN appliance administration interfaces are high-risk attack surfaces because administrators use them to configure network-wide access policies and they run as privileged processes. File upload functionality in VPN admin interfaces — used for importing configurations, certificates, and firmware — can be abused to upload malicious files that execute on the appliance. In the context of the 2021 Chinese APT campaign, administrative credentials for PCS were obtained through credential theft and exploitation of the pre-auth CVE-2021-22893 file read vulnerability, enabling attackers to subsequently exploit admin-level vulnerabilities like CVE-2021-22900 to achieve persistent code execution.

Overview

CVE-2021-22900 is an unrestricted file upload vulnerability in the Ivanti Pulse Connect Secure administrator web interface. An authenticated administrator can upload a maliciously crafted archive file via the admin interface, which the PCS appliance extracts without adequate validation — allowing the attacker to write arbitrary files to the filesystem, including web shells or code execution payloads. This vulnerability requires administrative access (PR:H), making it secondary in the exploitation chain to the authenticated user-level vulnerabilities CVE-2021-22894 and CVE-2021-22899. All are part of the April 2021 Pulse Secure cluster exploited by Chinese APT groups. CISA added it to the KEV catalog in November 2021.

Affected Versions

Technical Details

• Root cause: Unrestricted file upload with inadequate archive validation — the PCS administrator interface accepts archive files (ZIP, TAR, or similar) for import and extracts them to the appliance filesystem without fully validating file contents, types, or extraction paths; a maliciously crafted archive can place files in locations outside the intended destination (path traversal within the archive) or place executable scripts in web-accessible directories
• File write → code execution: Writing attacker-controlled files to the PCS web server document root (or similar web-accessible location) enables the attacker to place a web shell — a script file that executes OS commands when accessed via HTTP, providing persistent root-level code execution accessible remotely
• Admin authentication prerequisite: CVSS PR:H requires administrator credentials — in the APT exploitation chain, admin credentials were obtained via: (1) default/weak admin credentials, (2) credential reuse, or (3) privilege escalation from a compromised VPN user account
• Persistence mechanism: File-based code execution via uploaded web shells is one of the persistence techniques used by Chinese APT actors to maintain access to compromised PCS appliances even after firmware updates — the uploaded files persisted in the appliance's filesystem through patches
• Chain role: CVE-2021-22900 provides a complementary route to persistent code execution alongside the command injection CVE-2021-22899 — having multiple exploitation paths improves reliability of the attacker's persistence mechanisms

Discovery

Identified and disclosed as part of the April 2021 Pulse Secure coordinated disclosure with Mandiant. The combination of pre-auth credential extraction (CVE-2021-22893), authenticated user RCE (CVE-2021-22894, CVE-2021-22899), and admin-level file write (CVE-2021-22900) represents a comprehensive attack toolkit against PCS appliances.

Exploitation Context

CVE-2021-22900 is notable as an administrative persistence mechanism: Chinese APT actors (UNC2630) who compromised PCS admin credentials used this vulnerability to install persistent backdoors on appliances — backdoors that survived the application of security patches. This is why CISA ED 21-03 required running the Integrity Checker Tool rather than just patching: organizations that only patched without checking for existing compromise would remain compromised via the pre-existing web shells. The pattern of using admin-level file upload to install persistence that survives patching is a sophisticated technique reflecting well-resourced adversaries who anticipate defender responses.

Remediation

1. Apply PCS 9.1R11.4 or later patches
2. Critical: Run the Pulse Secure Integrity Checker Tool (ICT) before and after patching — ICT can identify unauthorized files and modifications indicating prior exploitation via CVE-2021-22900 file upload
3. Per CISA ED 21-03: if ICT identifies anomalous findings, rebuild the PCS appliance from a clean image — do not trust an appliance with confirmed file-level compromise
4. Change all PCS administrative credentials after confirming appliance integrity — assume admin credentials are compromised if the appliance was exposed during the vulnerability window
5. Restrict PCS administrative access: ensure the admin interface is not internet-accessible; restrict to a management VLAN or trusted IP ranges
6. Enable logging for all admin activities on PCS and review logs for unauthorized archive uploads or configuration imports during the April-May 2021 window