Vulnerability in Pulse Secure: Pulse Connect Secure (PCS)
CVE Score: 8.8 (CVSS 3.0), 6.5 (CVSS 2.0)
This arbitrary file reading vulnerability (CVE-2019-11510) allows sensitive information disclosure enabling unauthenticated attackers to access private keys and user passwords.
Hackers are actively unleashing attacks that attempt to steal encryption keys, passwords, and other sensitive data from vulnerable Pulse Secure VPN servers. The vulnerabilities can be exploited by sending unpatched servers Web requests that contain a special sequence of characters. This would then give the ability to an attacker to access private keys and user passwords.
Further exploitation using the leaked credentials can lead to remote command injection (CVE-2019-11539) and allow attackers to gain access inside the private VPN network.
CERT.be recommends all System administrators to upgrade their vulnerable Pulse Secure instances to version 9.1R1 and above.