CVE-2019-11509
Description
In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 and Pulse Policy Secure (PPS) before 5.1R15.1, 5.2 before 5.2R12.1, 5.3 before 5.3R15.1, 5.4 before 5.4R7.1, and 9.0 before 9.0R3.2, an authenticated attacker (via the admin web interface) can exploit Incorrect Access Control to execute arbitrary code on the appliance.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated admin users can execute arbitrary code on Pulse Secure appliances via incorrect access control in admin web interface, affecting PCS and PPS before specific versions.
Vulnerability
The vulnerability is an incorrect access control issue in the admin web interface of Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS). It allows an authenticated attacker to execute arbitrary code on the appliance. Affected versions: Pulse Connect Secure before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4; Pulse Policy Secure before 5.1R15.1, 5.2 before 5.2R12.1, 5.3 before 5.3R15.1, 5.4 before 5.4R7.1, and 9.0 before 9.0R3.2 [1].
Exploitation
The attacker must have authenticated access to the admin web interface. No user interaction beyond authentication is required. The exact steps are not detailed in the available references, but the vulnerability is classified as incorrect access control, suggesting the attacker can access functionality or endpoints that should be restricted, leading to arbitrary code execution [1].
Impact
Successful exploitation allows the authenticated attacker to execute arbitrary code on the Pulse Secure appliance. This can lead to full compromise of the appliance, including data disclosure, modification, or denial of service, and potentially pivoting to other network resources [1].
Mitigation
Pulse Secure released out-of-cycle patches on April 24, 2019. Administrators should upgrade to the following fixed versions: Pulse Connect Secure 8.1R15.1, 8.2R12.1, 8.3R7.1, or 9.0R3.4; Pulse Policy Secure 5.1R15.1, 5.2R12.1, 5.3R15.1, 5.4R7.1, or 9.0R3.2. No workarounds are available [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Pulse Secure/Pulse Connect Securedescription
- Range: before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, 9.0 before 9.0R3.4
- Range: before 5.1R15.1, 5.2 before 5.2R12.1, 5.3 before 5.3R15.1, 5.4 before 5.4R7.1, 9.0 before 9.0R3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.kb.cert.org/vuls/id/927237mitrethird-party-advisoryx_refsource_CERT-VN
- kb.pulsesecure.netmitrex_refsource_MISC
- kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.