CVE-2020-13162: Pulse Secure Client Privilege Escalation

CVE-2020-13162 Overview

A time-of-check time-of-use (TOCTOU) vulnerability exists in PulseSecureService.exe within Pulse Secure Client versions prior to 9.1.6 down to 5.3 R70 for Windows. The service runs with elevated privileges as NT AUTHORITY/SYSTEM, allowing unprivileged local users to exploit the race condition to execute a Microsoft Installer (MSI) executable with SYSTEM-level privileges.

Critical Impact

Local privilege escalation from standard user to SYSTEM allows complete compromise of Windows endpoints running vulnerable Pulse Secure Client versions.

Affected Products

• Pulse Secure Desktop Client for Windows versions 5.3 R1.0 through 9.1.5
• Pulse Secure Installer Service for Windows versions 8.3 and 9.1 (prior to fix)
• All Windows deployments using affected Pulse Secure VPN client versions

Discovery Timeline

• June 16, 2020 - CVE-2020-13162 published to NVD
• May 5, 2025 - Last updated in NVD database

Technical Details for CVE-2020-13162

Vulnerability Analysis

This vulnerability is classified as CWE-367 (Time-of-check Time-of-use Race Condition). The Pulse Secure service performs a security validation check on files before executing them, but a timing gap exists between the verification and the actual execution. During this window, an attacker can substitute a validated legitimate file with a malicious MSI installer.

The attack requires local access to the target system and the ability to win a race condition. Because PulseSecureService.exe operates with NT AUTHORITY/SYSTEM privileges, successful exploitation grants the attacker full administrative control over the affected Windows system, enabling persistence mechanisms, credential theft, and lateral movement within the network.

Root Cause

The root cause lies in the improper handling of file operations within the Pulse Secure service. The service validates an MSI file's integrity and signature at one point in time (the "check"), but then executes the file in a separate operation (the "use"). This temporal gap creates a race condition where an unprivileged user can replace the validated file with a malicious payload before execution occurs.

The service fails to implement proper atomic operations or secure file handling mechanisms such as locking the file during the validation-to-execution sequence, which would prevent tampering between these two operations.

Attack Vector

The attack is performed locally and requires low privileges to execute. An attacker with standard user access to a Windows system running a vulnerable Pulse Secure Client can exploit this vulnerability through the following approach:

1. Identify the file path monitored by PulseSecureService.exe for MSI installations
2. Place a legitimate MSI file that passes the service's validation checks
3. Monitor for the validation event and rapidly swap the legitimate file with a malicious MSI
4. The service, having already validated the original file, executes the attacker-controlled MSI with SYSTEM privileges

The exploitation mechanism involves precise timing to win the race condition between the file validation check and the subsequent file execution. Technical details and proof-of-concept information are available in the Red Timmy analysis and Packet Storm advisories.

Detection Methods for CVE-2020-13162

Indicators of Compromise

• Unexpected MSI installation activity initiated by PulseSecureService.exe outside of normal update windows
• Rapid file modification events in directories monitored by the Pulse Secure service
• New SYSTEM-level processes spawned from msiexec.exe with unusual parent process chains
• Evidence of file replacement attempts using symbolic links or junction points

Detection Strategies

• Monitor for anomalous child processes spawned by PulseSecureService.exe running as SYSTEM
• Implement file integrity monitoring on Pulse Secure installation directories to detect rapid file modifications
• Alert on msiexec.exe executions with SYSTEM privileges that do not correlate with authorized software deployment activities
• Use endpoint detection rules to identify race condition exploitation patterns such as rapid file create/delete/rename sequences

Monitoring Recommendations

• Enable Windows Security Event logging for process creation (Event ID 4688) with command line auditing
• Deploy behavioral analysis to detect privilege escalation attempts targeting VPN client services
• Configure SIEM rules to correlate Pulse Secure service activity with unexpected MSI installations
• Review audit logs for unusual access patterns to Pulse Secure service directories

How to Mitigate CVE-2020-13162

Immediate Actions Required

• Upgrade all Pulse Secure Desktop Client installations to version 9.1.6 or later immediately
• Audit all Windows endpoints to identify systems running vulnerable Pulse Secure Client versions
• Implement application whitelisting to restrict MSI execution to authorized installers
• Apply the principle of least privilege to limit potential exploit impact

Patch Information

Pulse Secure has released version 9.1.6 of the Pulse Secure Desktop Client for Windows which addresses this vulnerability. Organizations should prioritize patching as this vulnerability enables local privilege escalation to SYSTEM. Refer to Pulse Secure Advisory SA44503 for official patch details and download links.

Workarounds

• Restrict local user accounts on critical systems to prevent unauthorized local access
• Implement endpoint protection solutions that can detect and block race condition exploitation attempts
• Consider removing Pulse Secure Client from systems where it is not actively required until patching is complete
• Monitor and restrict access to directories used by the Pulse Secure service for temporary file operations

# Verify Pulse Secure Client version on Windows
wmic product where "name like 'Pulse Secure%'" get name,version

# Check running Pulse Secure service
sc query "PulseSecureService"

# Review service permissions
sc sdshow "PulseSecureService"