CVE-2020-13162

HIGH

Pulse Secure Client <9.1.6-5.3 R70 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-13162. PoCs published by redtimmy.

AI-analyzed exploit summary This is a working privilege escalation exploit for Pulse Secure Windows Client <9.1.6 (CVE-2020-13162). It leverages a TOCTOU (Time-of-Check Time-of-Use) race condition to replace a verified MSI file with a malicious one, achieving local privilege escalation.

Description

A time-of-check time-of-use vulnerability in PulseSecureService.exe in Pulse Secure Client versions prior to 9.1.6 down to 5.3 R70 for Windows (which runs as NT AUTHORITY/SYSTEM) allows unprivileged users to run a Microsoft Installer executable with elevated privileges.

Exploits (1)

nomisec WORKING POC 10 stars
by redtimmy · poc
https://github.com/redtimmy/tu-TOCTOU-kaiu-TOCMEU-CVE-2020-13162-

This is a working privilege escalation exploit for Pulse Secure Windows Client <9.1.6 (CVE-2020-13162). It leverages a TOCTOU (Time-of-Check Time-of-Use) race condition to replace a verified MSI file with a malicious one, achieving local privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Pulse Secure Windows Client <9.1.6
No auth needed
Prerequisites: Presence of Pulse Secure Windows Client <9.1.6 · Ability to execute code on the target system · Malicious MSI file ('evil.msi') · PulseSecureInstallerService.exe binary
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Vendor Advisory x_refsource_misc
https://kb.pulsesecure.net/?atype=sa
Third Party Advisory x_refsource_misc
https://twitter.com/sepcali/status/1262551597990711296
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/Jun/25
Third Party Advisory x_refsource_misc
https://twitter.com/gsepcali/status/1262551597990711296
Third Party Advisory x_refsource_misc
https://twitter.com/gsepcali/status/1272927080909623297
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/Sep/15

Scores

CVSS v3 7.0
EPSS 0.0079
EPSS Percentile 51.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-367
Status published
Products (5)
pulsesecure/pulse_secure_desktop_client 5.3 r1.0 (10 CPE variants)
pulsesecure/pulse_secure_desktop_client 9.0 r1.0 (9 CPE variants)
pulsesecure/pulse_secure_desktop_client 9.1 r1.0 (10 CPE variants)
pulsesecure/pulse_secure_installer_service 8.3
pulsesecure/pulse_secure_installer_service 9.1 (2 CPE variants)
Published Jun 16, 2020
Tracked Since Feb 18, 2026