CVE DATABASE / CVE-2021-22900
CVE-2021-22900
Ivanti Pulse Connect Secure Unrestricted File Upload Vulnerability
CVSS 7.2 · HIGH
⚠ CISA KEV — ACTIVELY EXPLOITED
On the CISA KEV catalog
Confirmed exploited in the wild. Added 2021-11-03.
Federal remediation due 2022-05-03.
Required action: Apply updates per vendor instructions.
Summary
A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.
CVSS 3.1 breakdown
| Base score | 7.2 (HIGH) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | HIGH |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | HIGH |
| Availability | HIGH |
Weakness type (CWE)
Affected products
Ivanti connect securePulsesecure pulse connect secure
Check this CVE live
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/?kA23Z000000boUWSAY
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22900
Data: NIST NVD + CISA KEV. NVD last modified 2025-12-18. Always verify against the vendor advisory before acting.