CVE-2020-8260

HIGH KEV RANSOMWARE

Pulse Connect Secure <9.1R9 - Authenticated RCE

Title source: llm

Exploitation Summary

CVE-2020-8260 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021, with confirmed use in ransomware campaigns. EIP tracks 1 public exploit from researchers including h00die, Spencer McIntyre, Richard Warren <[email protected]>, David Cash <[email protected]>, including a Metasploit module exploits/linux/http/pulse_secure_gzip_rce.

AI-analyzed exploit summary This Metasploit module exploits CVE-2020-8260, an uncontrolled gzip extraction vulnerability in Pulse Connect Secure appliances before 9.1R9, allowing arbitrary file overwrite and remote code execution as root. It includes authentication, version checking, and payload delivery mechanisms.

Description

A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.

Exploits (1)

metasploit WORKING POC EXCELLENT

by h00die, Spencer McIntyre, Richard Warren <[email protected]>, David Cash <[email protected]> · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/pulse_secure_gzip_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2020-8260, an uncontrolled gzip extraction vulnerability in Pulse Connect Secure appliances before 9.1R9, allowing arbitrary file overwrite and remote code execution as root. It includes authentication, version checking, and payload delivery mechanisms.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pulse Connect Secure < 9.1R9

Auth required

Prerequisites: Valid admin credentials · Network access to the target appliance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Broken Link, Vendor Advisory x_refsource_misc

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8260

Scores

CVSS v3 7.2

EPSS 0.7303

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-04-20

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2020-29130

Ransomware Use Confirmed

CWE

CWE-434

Status published

Products (2)

ivanti/connect_secure 9.1 (15 CPE variants)

ivanti/connect_secure < 9.0

Published Oct 28, 2020

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026