Pulse Connect Secure SSL VPN arbitrary file read vulnerability

Nash N Sulthan
Published on
01 Oct 2021

In Pulse Connect Secure(PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated attacker with network access via HTTPS can send a specially crafted URL to perform an arbitrary file reading vulnerability.


This arbitrary file read vulnerability can lead to the leakage of sensitive information, allowing unauthorized remote attackers to read the private key and user password; furthermore, it can even trigger a remote command injection attack(CVE-2019-11539).

Mitigation / Precaution

Our recommendation is to upgrade the Pulse Connect Secure to the latest version as soon as possible to patch the vulnerabilities.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Nash N Sulthan
Nash N Sulthan
Cyber Security Lead Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment