Nasty code execution vulnerability discovered in Pulse Secure VPN

News
By
published

Pulse Secure users should update their VPN software ASAP

VPN
VPN-tjänster har många olika funktioner - här är de allra viktigaste du ska kolla efter. (Image credit: Shutterstock.com)

Security researchers have discovered a code execution vulnerability in Pulse Secure VPN which could be used by attackers to take control of an organization's entire network if left unpatched.

While investigating a customer's deployment of this popular enterprise VPN, researchers at the security firm GoSecure first discovered the flaw which requires an attacker to have administrative rights on the system running Pulse Secure VPN to exploit. However, they were easily able to obtain admin privileges during their testing by tricking an administrator into clicking on a malicious link embedded in an email.

Security researcher at GoSecure, Jean-Frédéric Gauron stressed the seriousness of the code execution vulnerability, tracked as CVE-2020-8218, his team had discovered in a blog post, saying:

“While it does require to be authenticated, the fact that it can be triggered by a simple phishing attack on the right victim should be evidence enough that this vulnerability is not to be ignored.”

Targeting VPNs

As more employees are working from home than ever before due to the pandemic, cybercriminals have begun to target the VPN services they use to securely connect to their company networks while working remotely. In fact, the FBI and CISA recently issued a joint advisory warning organizations and their employees about a new vishing campaign that tries to steal VPN credentials by targeting employees working remotely.

In addition to the code execution vulnerability GoSecure discovered, the security firm has also found three other vulnerabilities in Pulse Secure VPN. Of these though, the code execution vulnerability is the most serious but the team plans to publish blog posts on each of the flaws it found once they have been fixed or 90 days after disclosure.

Failing to patch VPN software can have serious consequences for businesses as shown by last year's Travelex hack where the operators of the REvil ransomware were able to gain access to the company's network as a result of one or more critical Pulse Secure vulnerabilities that were left unpatched by administrators.

Organizations using Pulse Secure VPN should update Pulse Connect to version 9.1 R8 to avoid falling victim to any potential attacks that leverage the code execution vulnerability discovered by GoSecure.

  • We've also highlighted the best VPN software

Via Ars Technica

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in VPN Privacy & Security
Homepage of CloudFlare website on the display of PC, url - CloudFlare.com.
"Network blocking is never going to be the solution" – Cloudflare slams anti-piracy tactics
Panels at RightsCon 2025 during a press briefing about the latest Access Now report of internet shutdowns
2024 was the worst year on record for internet freedoms – again
Vector illustration of the word Censored in a glitch distorted style
Google, Apple, and internet restriction – how Big Tech is making censorship "much worse" according to experts
Google TV onscreen interface showing streaming apps
Why do streaming services geo-restrict content?
Pirate key on computer keyboard
Italy to require VPN and DNS providers to block pirated content
piracy
Canal+ wants to block VPN usage – and VPN providers are fuming
Latest in News
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Guitar Hero Mobile
Activision shares first look at Guitar Hero Mobile and, yeah, it looks like AI slop
Web DDoS attacks see major surge as AI allows more powerful attacks
Pulchra Fellini in Zenless Zone Zero.
Zenless Zone Zero Version 1.6 will finally let you play as a furry gunslinger
Two hands holding the Tecno Spark Slim phone
The world’s thinnest phone was just revealed, but a new iPhone 17 Air leak suggests it could be even slimmer
Polish space agency says it was hit by a cyberattack
More about vpn privacy security
Homepage of CloudFlare website on the display of PC, url - CloudFlare.com.

"Network blocking is never going to be the solution" – Cloudflare slams anti-piracy tactics
Google TV onscreen interface showing streaming apps

Why do streaming services geo-restrict content?

An Nvidia GeForce RTX 5070

I really wanted to like the Nvidia GeForce RTX 5070, but it broke my heart and it shouldn't have to break yours, too
See more latest
Most Popular
Building the Lego Beauty and the Beast Castle
Another iconic Disney Castle is getting the Lego treatment, and this one roars
TSMC
TSMC announces huge US investment to boost AI development
Peak Design Roller Pro roller case on the floor of luxury airport, opened out
I’ve been using Peak Design’s innovative new Roller Pro for weeks, and it’s my new go-to carry-on case for travel – here’s why
Guitar Hero Mobile
Activision shares first look at Guitar Hero Mobile and, yeah, it looks like AI slop
A D-pad in the PlayStation Plus logo
Sony is now issuing PS Plus compensation following the recent PSN outage
Princess Tiana holding a frog in her hand and smiling in The Princess and the Frog.
Disney+ reportedly cancels plans to make an offshoot series of The Princess and the Frog, and that’s not the only streaming project it’s abandoning
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Two hands holding the Tecno Spark Slim phone
The world’s thinnest phone was just revealed, but a new iPhone 17 Air leak suggests it could be even slimmer
Google Pixel 9 Pro
Google Password Manager may be set to introduce a nuclear option for its Android app
Pulchra Fellini in Zenless Zone Zero.
Zenless Zone Zero Version 1.6 will finally let you play as a furry gunslinger