The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2021-22937

CVE-2021-22937: Ivanti Connect Secure Auth Bypass Flaw

CVE-2021-22937 is an authentication bypass vulnerability in Ivanti Connect Secure that allows authenticated administrators to perform unauthorized file writes via malicious archives. This article covers technical details, affected versions, impact, and mitigation strategies.

Published: February 25, 2026

CVE-2021-22937 Overview

CVE-2021-22937 is a dangerous file write vulnerability affecting Pulse Connect Secure (now Ivanti Connect Secure) VPN appliances before version 9.1R12. This vulnerability allows an authenticated administrator to perform arbitrary file write operations via a maliciously crafted archive uploaded through the administrator web interface. The flaw stems from improper validation of archive contents during the upload process (CWE-434: Unrestricted Upload of File with Dangerous Type).

Critical Impact

Authenticated administrators can leverage this vulnerability to write arbitrary files to the system, potentially leading to remote code execution, system compromise, or persistent backdoor installation on critical VPN infrastructure.

Affected Products

  • Ivanti Connect Secure versions 9.1 through 9.1R11.0
  • Pulse Secure Pulse Connect Secure versions prior to 9.1R12
  • All 9.1 release variants including R1.0 through R11.0

Discovery Timeline

  • August 16, 2021 - CVE-2021-22937 published to NVD
  • November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2021-22937

Vulnerability Analysis

This vulnerability exists in the administrative interface of Pulse Connect Secure appliances, specifically in the functionality that handles archive file uploads. When an administrator uploads an archive file through the web interface, the application fails to properly validate and sanitize the contents of the archive before extraction. This allows a malicious actor with administrative credentials to craft a specially designed archive containing files with path traversal sequences or targeting sensitive system locations.

The exploitation requires valid administrator credentials, which limits the attack surface but does not diminish the severity given that VPN appliances are high-value targets. Compromised admin credentials through phishing, credential stuffing, or previous breaches could enable exploitation. Once arbitrary file write is achieved, an attacker can overwrite configuration files, inject malicious code, or establish persistent access to the VPN gateway.

Root Cause

The root cause of CVE-2021-22937 is the lack of proper validation of archive contents during the file upload and extraction process in the administrator web interface. The application does not adequately verify file paths within uploaded archives, allowing files to be written outside the intended directory structure. This constitutes an unrestricted file upload vulnerability (CWE-434) where dangerous file types or file paths are not properly sanitized before processing.

Attack Vector

The attack vector for this vulnerability is network-based, requiring the attacker to have authenticated access to the administrative web interface. The exploitation flow typically involves:

  1. Attacker obtains valid administrator credentials through social engineering, credential theft, or brute force attacks
  2. Attacker crafts a malicious archive file containing path traversal sequences (e.g., ../../../) or absolute paths targeting critical system files
  3. Attacker uploads the malicious archive through the legitimate administrator upload functionality
  4. The server extracts the archive without proper validation, writing attacker-controlled content to arbitrary file system locations
  5. Depending on the targeted files, the attacker may achieve code execution, configuration manipulation, or persistent backdoor installation

The vulnerability does not require user interaction beyond the initial authentication and can be exploited remotely over the network. Due to the nature of VPN appliances sitting at network perimeters, successful exploitation could provide attackers with a pivotal position for lateral movement into internal networks.

Detection Methods for CVE-2021-22937

Indicators of Compromise

  • Unexpected file modifications in system directories outside the normal upload paths
  • Unusual archive upload activity in administrator audit logs
  • New or modified files with timestamps correlating to admin interface access
  • Unauthorized configuration changes or new administrative accounts

Detection Strategies

  • Monitor administrator web interface access logs for archive upload operations followed by suspicious file system activity
  • Implement file integrity monitoring (FIM) on critical Pulse Connect Secure system directories
  • Review authentication logs for administrator account access from unusual IP addresses or at unusual times
  • Deploy network detection rules to identify malicious archive content patterns in HTTP POST requests to the admin interface

Monitoring Recommendations

  • Enable comprehensive audit logging for all administrative actions on Pulse Connect Secure appliances
  • Configure SIEM alerts for multiple archive uploads within short time windows
  • Monitor outbound connections from VPN appliances that may indicate command and control communication
  • Regularly compare system file hashes against known-good baselines

How to Mitigate CVE-2021-22937

Immediate Actions Required

  • Upgrade Pulse Connect Secure to version 9.1R12 or later immediately
  • Review administrator account access and reset credentials for all administrative accounts
  • Audit recent administrative activity for suspicious archive uploads
  • Implement network segmentation to restrict management interface access to trusted networks only

Patch Information

Ivanti (formerly Pulse Secure) has released version 9.1R12 which addresses this vulnerability. Organizations should apply the patch as soon as possible. Detailed patch information and download links are available in the Pulse Secure Advisory SA44858. Given the critical nature of VPN infrastructure, expedited patching through emergency change windows is recommended.

Workarounds

  • Restrict administrative interface access to specific trusted IP addresses using firewall rules
  • Implement multi-factor authentication for administrator accounts to reduce credential theft risk
  • Enable enhanced audit logging to detect potential exploitation attempts
  • Consider placing management interfaces on isolated management networks not accessible from the general internet
bash
# Configuration example: Restrict admin interface access via iptables
# Allow admin interface access only from trusted management subnet
iptables -A INPUT -p tcp --dport 443 -s 10.10.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

# Verify current Pulse Connect Secure version
# Access: System > Maintenance > Upgrade/Downgrade
# Ensure version is 9.1R12 or higher

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechIvanti Connect Secure
  • SeverityHIGH
  • CVSS Score7.2
  • EPSS Probability10.25%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-434
  • Vendor Resources
  • Pulse Secure Advisory SA44858
  • Related CVEs
  • CVE-2021-22893: Ivanti Connect Secure Auth Bypass Flaw
  • CVE-2023-46805: Ivanti Connect Secure Auth Bypass Flaw
  • CVE-2025-5450: Ivanti Connect Secure Auth Bypass Flaw
  • CVE-2021-22894: Ivanti Connect Secure RCE Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English