CVE-2020-8956

LOW

Pulse Secure Desktop Client <9.0R5, <9.1R4 - Info Disclosure

Title source: llm

Description

Pulse Secure Desktop Client 9.0Rx before 9.0R5 and 9.1Rx before 9.1R4 on Windows reveals users' passwords if Save Settings is enabled.

Exploits (1)

metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/pulse_secure.rb

References (1)

Scores

CVSS v3 3.3
EPSS 0.0924
EPSS Percentile 92.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-521
Status published
Products (11)
pulsesecure/pulse_secure_desktop 9.0r1.0
pulsesecure/pulse_secure_desktop 9.0r2.0
pulsesecure/pulse_secure_desktop 9.0r2.1
pulsesecure/pulse_secure_desktop 9.0r3.0
pulsesecure/pulse_secure_desktop 9.0r3.1
pulsesecure/pulse_secure_desktop 9.0r4.0
pulsesecure/pulse_secure_desktop 9.0r4.1
pulsesecure/pulse_secure_desktop 9.1r1.0
pulsesecure/pulse_secure_desktop 9.1r2.0
pulsesecure/pulse_secure_desktop 9.1r3.0
... and 1 more
Published Oct 27, 2020
Tracked Since Feb 18, 2026