Nasty code execution vulnerability discovered in Pulse Secure VPN

(Image credit:

Security researchers have discovered a code execution vulnerability in Pulse Secure VPN which could be used by attackers to take control of an organization's entire network if left unpatched.

While investigating a customer's deployment of this popular enterprise VPN, researchers at the security firm GoSecure first discovered the flaw which requires an attacker to have administrative rights on the system running Pulse Secure VPN to exploit. However, they were easily able to obtain admin privileges during their testing by tricking an administrator into clicking on a malicious link embedded in an email.

Security researcher at GoSecure, Jean-Frédéric Gauron stressed the seriousness of the code execution vulnerability, tracked as CVE-2020-8218, his team had discovered in a blog post, saying:

“While it does require to be authenticated, the fact that it can be triggered by a simple phishing attack on the right victim should be evidence enough that this vulnerability is not to be ignored.”

Targeting VPNs

As more employees are working from home than ever before due to the pandemic, cybercriminals have begun to target the VPN services they use to securely connect to their company networks while working remotely. In fact, the FBI and CISA recently issued a joint advisory warning organizations and their employees about a new vishing campaign that tries to steal VPN credentials by targeting employees working remotely.

In addition to the code execution vulnerability GoSecure discovered, the security firm has also found three other vulnerabilities in Pulse Secure VPN. Of these though, the code execution vulnerability is the most serious but the team plans to publish blog posts on each of the flaws it found once they have been fixed or 90 days after disclosure.

Failing to patch VPN software can have serious consequences for businesses as shown by last year's Travelex hack where the operators of the REvil ransomware were able to gain access to the company's network as a result of one or more critical Pulse Secure vulnerabilities that were left unpatched by administrators.

Organizations using Pulse Secure VPN should update Pulse Connect to version 9.1 R8 to avoid falling victim to any potential attacks that leverage the code execution vulnerability discovered by GoSecure.

  • We've also highlighted the best VPN software

Via Ars Technica

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.