A proof of concept has been made public for CVE-2019-11510, an arbitrary file disclosure vulnerability found in popular virtual private network software, Pulse Connect Secure.

On August 20th, a proof of concept (PoC) exploit module was published for CVE-2019-11510, an arbitrary file disclosure vulnerability found in Pulse Connect Secure (PCS). This flaw could allow an unauthenticated, remote attacker to read the contents of files found on a vulnerable device, including sensitive information such as configuration settings.

The researchers describe in their initial report of the issue, this attack could be chained with other vulnerabilities they discovered.This research demonstrates how an attacker can take advantage of a pre-authentication flaw and achieve command execution by chaining multiple vulnerabilities to compromise a vulnerable device. What is most concerning about these chained exploits is that PCS is used to restrict external access to an environment, and by achieving command execution on the device, an attacker could use this access to weaponize the device and use it for malicious purposes such as data exfiltration.

Patches were released by Pulse Secure on April 24th, 2019 to address this vulnerability and several additional CVEs.

For more details about the vulnerability, including what versions of Pulse Secure Connect are affected, please visit our blog.