Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2021-22899

CVE-2021-22899: Ivanti Connect Secure RCE Vulnerability

CVE-2021-22899 is a command injection RCE flaw in Ivanti Connect Secure that allows authenticated attackers to execute arbitrary code via Windows Resource Profiles. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2021-22899 Overview

A command injection vulnerability exists in Pulse Connect Secure (now Ivanti Connect Secure) before version 9.1R11.4 that allows a remote authenticated attacker to perform remote code execution via the Windows Resource Profiles Feature. This vulnerability affects the widely deployed VPN solution and represents a significant security risk for organizations relying on Pulse Connect Secure for remote access.

Critical Impact

This vulnerability has been confirmed as actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Authenticated attackers can leverage the Windows Resource Profiles Feature to execute arbitrary commands on vulnerable systems, potentially leading to complete system compromise.

Affected Products

  • Ivanti Connect Secure versions 9.0 (all releases through 9.0R6.0)
  • Ivanti Connect Secure versions 9.1 through 9.1R11.3
  • Pulse Connect Secure versions prior to 9.1R11.4

Discovery Timeline

  • May 27, 2021 - CVE CVE-2021-22899 published to NVD
  • December 18, 2025 - Last updated in NVD database

Technical Details for CVE-2021-22899

Vulnerability Analysis

This command injection vulnerability (CWE-77) resides in the Windows Resource Profiles Feature of Pulse Connect Secure. The vulnerability allows authenticated users to inject and execute arbitrary commands on the underlying operating system through specially crafted input that is not properly sanitized before being passed to system command execution functions.

The attack requires network access and authentication to the Pulse Connect Secure appliance. Once authenticated, an attacker can exploit the Windows Resource Profiles Feature to break out of the intended application context and execute commands with the privileges of the VPN appliance. This can result in complete confidentiality, integrity, and availability compromise of the affected system.

The inclusion of this CVE in CISA's Known Exploited Vulnerabilities catalog indicates that threat actors have successfully weaponized this vulnerability in real-world attacks, making immediate patching essential for affected organizations.

Root Cause

The root cause of this vulnerability is improper input validation and sanitization within the Windows Resource Profiles Feature. User-supplied input is incorporated into system commands without adequate filtering or escaping, allowing metacharacters and command separators to be interpreted by the command processor. This classic command injection pattern (CWE-77: Improper Neutralization of Special Elements used in a Command) enables attackers to append or inject arbitrary commands that execute with the application's privileges.

Attack Vector

The attack is executed remotely over the network. An attacker must first authenticate to the Pulse Connect Secure appliance, then navigate to the Windows Resource Profiles configuration interface. By injecting command injection payloads into vulnerable input fields, the attacker can cause the system to execute arbitrary commands. The attack does not require user interaction beyond the attacker's own actions.

The exploitation mechanism involves crafting malicious input containing shell metacharacters (such as semicolons, pipes, or backticks) that terminate the intended command and execute attacker-controlled commands. Since the vulnerability requires authentication, attackers may leverage stolen credentials, phishing attacks, or other authentication bypass vulnerabilities to gain the initial access needed for exploitation.

Detection Methods for CVE-2021-22899

Indicators of Compromise

  • Unusual or unauthorized modifications to Windows Resource Profiles configurations
  • Unexpected processes spawned by the Pulse Connect Secure service
  • Anomalous outbound network connections from the VPN appliance
  • Evidence of command execution artifacts in system logs with unusual command patterns or shell metacharacters

Detection Strategies

  • Monitor Pulse Connect Secure logs for suspicious activity in the Windows Resource Profiles Feature
  • Implement network detection rules for unusual traffic patterns originating from VPN appliances
  • Deploy endpoint detection and response (EDR) solutions to identify post-exploitation behavior
  • Review authentication logs for compromised accounts being used to access administrative functions

Monitoring Recommendations

  • Enable verbose logging on Pulse Connect Secure appliances and forward logs to a SIEM
  • Configure alerts for configuration changes to Windows Resource Profiles
  • Monitor for indicators of lateral movement originating from VPN infrastructure
  • Implement behavioral analysis to detect anomalous command execution patterns

How to Mitigate CVE-2021-22899

Immediate Actions Required

  • Upgrade Pulse Connect Secure to version 9.1R11.4 or later immediately
  • Review user accounts with access to Windows Resource Profiles Feature and enforce principle of least privilege
  • Audit recent configuration changes and administrative actions for signs of compromise
  • Consider running the Pulse Secure Integrity Checker Tool to detect potential compromise

Patch Information

Ivanti (formerly Pulse Secure) has released a security update that addresses this vulnerability. Organizations should upgrade to Pulse Connect Secure version 9.1R11.4 or later. Detailed patch information and download links are available in the Pulse Secure Advisory SA44784. Given the confirmed active exploitation of this vulnerability, patching should be treated as an emergency priority.

Workarounds

  • Restrict access to the Windows Resource Profiles Feature to only essential administrative accounts
  • Implement network segmentation to limit exposure of VPN management interfaces
  • Deploy web application firewall rules to filter potentially malicious input to the vulnerable feature
  • Consider disabling the Windows Resource Profiles Feature if not operationally required until patching can be completed
bash
# Verify Pulse Connect Secure version
# Access the admin console and navigate to:
# Maintenance > System > Platform
# Ensure version is 9.1R11.4 or later

# Review Windows Resource Profiles access
# Navigate to: Users > User Roles > [Role Name] > Windows > File Browsing
# Audit and restrict access as appropriate

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne