CVE-2019-11539

HIGH KEV RANSOMWARE

Pulse Secure <9.0R3.4-5.1R15.1 - Authenticated Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-11539 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including Metasploit, Justin Wagner, 0xDezzy, including a Metasploit module exploits/linux/http/pulse_secure_cmd_exec.

AI-analyzed exploit summary This Metasploit module exploits a post-auth command injection vulnerability in Pulse Secure VPN (CVE-2019-11539) to execute arbitrary commands as root. It bypasses application whitelisting using the env(1) command and leverages a valid administrator session ID for authentication.

Description

In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/47700

This Metasploit module exploits a post-auth command injection vulnerability in Pulse Secure VPN (CVE-2019-11539) to execute arbitrary commands as root. It bypasses application whitelisting using the env(1) command and leverages a valid administrator session ID for authentication.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Pulse Secure VPN
Auth required
Prerequisites: Valid administrator session ID
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Justin Wagner · pythonremotemultiple
https://www.exploit-db.com/exploits/47354

This exploit leverages CVE-2019-11539 to achieve post-authentication remote code execution on Pulse Secure VPN appliances. It injects commands via a tcpdump diagnostic tool to overwrite system files, enabling SSH access as root.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Pulse Secure Connect VPN (8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, 9.0 before 9.0R3.4)
Auth required
Prerequisites: Valid admin credentials · Network access to the target · Web server hosting modified SSH configuration files
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 133 stars
by 0xDezzy · remote-auth
https://github.com/0xDezzy/CVE-2019-11539

This repository contains a functional Python exploit for CVE-2019-11539, which targets an authenticated command injection vulnerability in Pulse Secure Pulse Connect Secure. The exploit logs in as an admin, injects commands via a tcpdump diagnostic feature, and overwrites SSH configuration files to enable root access.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Pulse Secure Pulse Connect Secure (versions 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, 8.1RX before 8.1R15.1)
Auth required
Prerequisites: Admin credentials for the Pulse Secure admin interface · Network access to the target device
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Orange Tsai, Meh Chang, wvu · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/pulse_secure_cmd_exec.rb

This Metasploit module exploits a post-authentication command injection vulnerability in Pulse Secure VPN servers (CVE-2019-11539) by leveraging the env(1) command to bypass application whitelisting and execute arbitrary commands as root. It requires a valid administrator session ID and uses a CSRF token to craft malicious requests to the diagnostic CGI endpoint.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Pulse Secure VPN
Auth required
Prerequisites: Valid administrator session ID · Access to the diagnostic CGI endpoint
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (10)

Core 10
Core References
Third Party Advisory, Vendor Advisory x_refsource_confirm
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/108073
Third Party Advisory x_refsource_confirm
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
https://www.kb.cert.org/vuls/id/927237
Broken Link, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/162092/Pulse-Secure-VPN-Arbitrary-Command-Execution.html

Scores

CVSS v3 7.2
EPSS 0.9390
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2019-10-02
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2019-3210
Ransomware Use Confirmed
CWE
CWE-78
Status published
Products (3)
ivanti/connect_secure 8.1 (25 CPE variants)
ivanti/connect_secure 8.2 (22 CPE variants)
ivanti/connect_secure 8.3 (3 CPE variants)
Published Apr 26, 2019
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026