On Thursday, August 22, 2019, our honeypots detected opportunistic mass scanning activity from a host in Spain targeting Pulse Secure “Pulse Connect Secure” VPN server endpoints vulnerable to CVE-2019-11510. This arbitrary file reading vulnerability allows sensitive information disclosure enabling unauthenticated attackers to access private keys and user passwords. Further exploitation using the leaked credentials can lead to remote command injection (CVE-2019-11539) and allow attackers to gain access inside private VPN networks.

⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️
Mass scanning activity detected from 2.137.127.2 (🇪🇸) checking for @pulsesecure Pulse Connect Secure VPN endpoints vulnerable to arbitrary file reading (CVE-2019-11510).#threatintel pic.twitter.com/fiRUMKjwbE

— Bad Packets Report (@bad_packets) August 22, 2019

On Friday, August 23, 2019, our honeypots detected additional mass scanning for CVE-2019-11510 from another host in Spain.

⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️
Mass scanning activity detected from 81.40.150.167 (🇪🇸) checking for @pulsesecure Pulse Connect Secure VPN endpoints vulnerable to arbitrary file reading (CVE-2019-11510) that allows sensitive information disclosure.#threatintel pic.twitter.com/vYEJ1Coa38

— Bad Packets Report (@bad_packets) August 23, 2019

On Thursday, August 29, 2019, our honeypots detected mass scanning for vulnerable Fortinet and Pulse Secure VPN servers from a host in the United States.

⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️
Mass scanning activity detected from 209.217.227.186 (🇺🇸) attempting to exploit Pulse Secure VPN servers (CVE-2019-11510) and Fortinet FortiGate VPN servers (CVE-2018-13379) vulnerable to sensitive information disclosure.#threatintel pic.twitter.com/UQkgUPSkKo

— Bad Packets Report (@bad_packets) August 30, 2019

The exploit activity detected from hosts in Spain attempted to download the “etc/passwd” file which contains the usernames associated with the VPN server (not client accounts). In all cases, a successful “HTTP 200/OK” response to this scan indicates the endpoint is vulnerable to further attacks. Given the ongoing scanning activity, it’s likely attackers have enumerated all publicly accessible Pulse Secure VPN servers vulnerable to CVE-2019-11510.

How many hosts are vulnerable to CVE-2019-11510?

Using data provided by BinaryEdge, we scanned 41,850 Pulse Secure VPN endpoints to ascertain which were vulnerable. On Saturday, August 24, 2019, our scans found a total of 14,528 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510. No sensitive information was disclosed or recorded during our scans as we simply sent a HEAD HTTP request (unlike a GET request that downloads a file) to confirm the arbitrary file reading vulnerability was possible.

Where are the vulnerable hosts located?

Vulnerable hosts were found in 121 countries around the world.

This interactive map shows the total vulnerable hosts found per country. Overall, the most vulnerable Pulse Secure VPN endpoints were located in the United States.

Which organizations are affected by CVE-2019-11510?

2,535 unique autonomous systems (network providers) were found to have vulnerable Pulse Secure VPN endpoints on their network. We’ve discovered this vulnerability currently affects:

• U.S. military, federal, state, and local government agencies
• Public universities and schools
• Hospitals and health care providers
• Electric and gas utilities
• Major financial institutions
• News / Media corporations
• Numerous Fortune 500 companies

The list of affected organizations will not be published because this critical vulnerability is easy to exploit using publicly available proof-of-concept code.

Additionally, further exploitation of this vulnerability could allow remote code execution (RCE) on the clients connecting to a compromised VPN server. This technique could be used to spread ransomware and any other type of malware on sensitive networks.

Closing Remarks

Pulse Secure VPN administrators need to immediately ensure they’re not using versions of the “Pulse Connect Secure” server software vulnerable to CVE-2019-11510. Pulse Secure has provided guidance on how to update to fixed versions. There is no workaround for this vulnerability. Given the severity of this sensitive information disclosure vulnerability coupled with the risk of unauthorized access to private networks – there is little time to update before threat actors engage in further malicious activity.

Due to the sensitive nature of these vulnerabilities, the IP addresses of the affected Pulse Secure VPN endpoints will not be published publicly. However, the list is freely available for authorized government CERT and CSIRT teams to review. We’ve shared our findings directly with US-CERT (CISA) and other U.S. federal law enforcement agencies for further investigation and remediation.

We’ve also notified these organizations: A-ISAC, ACSC, aeCERT, AusCERT, CCCS, CERT-Bund, CERT/CC, CERT.be, CERT-FR, CERTGOVIL, CERT-In, CERT POLSKA, CERT.PT, CIRCL.LU, CITC-SA, colCERT, E-ISAC, EG-CERT, GovCERT.ch, GovCERT.gv.at, GovCERT.HK, GOVCERT.LU, H-ISAC, IL-CERT, Janet CSIRT, JPCERT/CC, KN-CERT, KPN-CERT, MOD, MS-ISAC, MSRC, NAAEA, NCFTA, NCIS, NCSC, NCSC-IE, NCSC-NL, Q-CERT, REN-ISAC, SingCERT, ThaiCERT, TR-CERT, TWCERT/CC, TWNCERT, and VNCERT.

Additional Updates

On Saturday, August, 31, 2019, we conducted another round of vulnerability scanning and found 10,471 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

Total vulnerable Pulse Secure VPN servers by country:
🇺🇸 United States: 3,481
🇯🇵 Japan: 1,381
🇬🇧 United Kingdom: 664
🇫🇷 France: 418
🇩🇪 Germany: 400
🇳🇱 Netherlands: 283
🇰🇷 South Korea: 258
🇧🇪 Belgium: 252
🇮🇱 Israel: 225
🇨🇭 Switzerland: 213
All others: 2,896https://t.co/HVXWLcJZj1

— Bad Packets Report (@bad_packets) September 1, 2019

On Monday, September 1, 2019, JPCERT/CC published an advisory urging Pulse Secure VPN server administrators to the update to the latest version as soon as possible. We thank JPCERT/CC for their assistance in notifying vulnerable organizations in Japan.

"On August 31, 2019, according to Bad Packets, 10,471 hosts were confirmed to be vulnerable, and 1,381 of them were hosts in Japan. Upon receiving this report, JPCERT/CC started contacting administrators of these hosts." https://t.co/u9nXD8yiDS

— Bad Packets Report (@bad_packets) September 3, 2019

On Thursday, September 5, 2019, our honeypots detected mass scanning for CVE-2019-11510 from two hosts in Germany. The exploit activity attempted to download the “etc/hosts” file which contains the internal hostnames and IP addresses associated with the VPN server.

⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️
Mass scanning activity detected from 164.68.123.63 (🇩🇪) and 5.189.137.92 (🇩🇪) attempting to exploit Pulse Secure VPN servers vulnerable to arbitrary file read (CVE-2019-11510) leading to sensitive information disclosure of user credentials.#threatintel pic.twitter.com/7uuarIUwWW

— Bad Packets Report (@bad_packets) September 5, 2019

On Friday, September 6, 2019, our honeypots detected mass scanning for CVE-2019-11510 from a host in Estonia. The exploit activity attempted to download the “etc/passwd” file which contains the usernames associated with the Pulse Secure VPN server.

⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️
Mass scanning activity detected from 5.101.181.41 (🇪🇪) attempting to exploit Pulse Secure VPN servers vulnerable to arbitrary file read (CVE-2019-11510) leading to disclosure of user credentials and other sensitive information.#threatintel pic.twitter.com/qQg6Zj44gF

— Bad Packets Report (@bad_packets) September 6, 2019

On Saturday, September 7, 2019, our honeypots detected mass scanning for CVE-2019-11510 from another host in Estonia.

⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️
Mass scanning activity detected from 5.101.180.68 (🇪🇪) attempting to exploit Pulse Secure VPN servers vulnerable to unauthenticated arbitrary file read (CVE-2019-11510) leading to disclosure of user credentials and other sensitive information.#threatintel pic.twitter.com/t7pMQrGBAl

— Bad Packets Report (@bad_packets) September 7, 2019

On Sunday, September 8, 2019, our honeypots detected mass scanning for CVE-2019-11510 from yet another host in Estonia. This was the third time we detected exploit activity originating from the network of “FASTVPS” (AS198068).

⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️
Mass scanning activity detected from 5.101.181.111 (🇪🇪) attempting to exploit Pulse Secure VPN servers vulnerable to unauthenticated arbitrary file read (CVE-2019-11510) leading to disclosure of user passwords and private keys.#threatintel pic.twitter.com/aZuZkLHKtM

— Bad Packets Report (@bad_packets) September 8, 2019

Between Sunday, September 8, 2019 and Monday, September, 9, 2019 we conducted another round of CVE-2019-11510 vulnerability scanning and found 9,002 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Monday, September 16, 2019, we performed additional CVE-2019-11510 vulnerability scans and found 7,712 vulnerable Pulse Secure VPN servers.

On Sunday, September 22, 2019, our honeypots detected mass scanning activity targeting Pulse Secure VPN servers. This activity originated from a host in Russia and a Tor exit node in Sweden.

Someone is also using Tor to scan for Pulse Secure VPN servers. pic.twitter.com/pld5ZTcRYL

— Bad Packets Report (@bad_packets) September 23, 2019

On Monday, September 23, 2019, we completed our weekly CVE-2019-11510 scans and found 7,081 vulnerable Pulse Secure VPN servers. Meanwhile, mass scanning activity targeting Pulse Secure VPN servers over Tor continued.

Mass scanning activity targeting Pulse Secure VPN servers, using Tor, is ongoing.

The response to this scan will indicate if the server is using a version of Pulse Connect Secure vulnerable to CVE-2019-11510.#threatintel https://t.co/Kw6nmdnRV2 pic.twitter.com/yk2sirZURL

— Bad Packets Report (@bad_packets) September 28, 2019

On Monday, September 30, 2019, we completed our weekly scans and found 6,527 vulnerable Pulse Secure VPN servers.

On Monday, October 7, 2019, we completed our weekly CVE-2019-11510 scans and found 6,018 vulnerable Pulse Secure VPN servers. The NSA has published an advisory on how to mitigate threats targeting Pulse Secure and other enterprise-grade VPN servers.

Both @NCSC and @NSAGov are reporting APTs are actively exploiting CVE-2019-11510.

If you're using a vulnerable version of Pulse Secure VPN software (illustrated below) fixed versions are available here: https://t.co/vrSYciVN1u#threatintel https://t.co/YffdQtMCMT pic.twitter.com/9Xp85IYpGf

— Bad Packets Report (@bad_packets) October 9, 2019

Additionally, the NCSC has updated their advisory regarding APT activity targeting vulnerable VPN servers and included a link to our disclosure. We thank NCSC for their assistance in notifying impacted organizations in United Kingdom.

On Sunday, October 13, 2019, our honeypots detected opportunistic mass scanning activity from two Amazon Web Services EC2 instances checking for vulnerable Pulse Secure VPN servers.

Mass scanning activity detected from 15.188.47.240 (🇫🇷) checking for Pulse Secure VPN servers vulnerable to CVE-2019-11510.#threatintel https://t.co/rKtB07LqPK

— Bad Packets Report (@bad_packets) October 14, 2019

In both cases, these hosts were exploiting CVE-2019-11510 to download the “/etc/passwd” file from targeted servers.

On Monday, October 14, 2019, we completed our weekly CVE-2019-11510 scans and found 5,640 Pulse Secure VPN servers worldwide remain vulnerable.

On Wednesday, October 16, 2019, CERT/CC published an advisory and timeline of specific events relating to CVE-2019-11510 which referenced our disclosure. We thank CERT/CC for their assistance in notifying organizations affected by this vulnerability. CISA also published an advisory summarizing the multiple vulnerabilities affecting Pulse Secure VPN servers and they urge administrators to apply the necessary updates.

On Monday, October 21, 2019, we completed our ninth round of CVE-2019-11510 scans and found 5,285 vulnerable Pulse Secure VPN servers worldwide.

On Monday, October 28, 2019, we completed our tenth round of vulnerability scans and found 5,080 Pulse Secure VPN servers vulnerable to CVE-2019-11510.

On Monday, November 4, 2019, we conducted our eleventh round of vulnerability scans and found 4,889 vulnerable Pulse Secure VPN servers.

On Wednesday, November 6, 2019, our honeypots detected opportunistic mass scanning activity from an Amazon Web Services EC2 instance checking for Pulse Secure VPN servers vulnerable to CVE-2019-11510.

⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️
Mass scanning activity detected from 52.91.255.126 (🇺🇸) targeting Pulse Secure VPN servers.

The response to this scan will indicate if the server is using a version of Pulse Connect Secure vulnerable to CVE-2019-11510 (https://t.co/lXcedIyQSB).#threatintel pic.twitter.com/Of6ZSTZ6oG

— Bad Packets Report (@bad_packets) November 7, 2019

On Monday, November 11, 2019, we conducted our twelfth round of vulnerability scans and found 4,716 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Monday, November 18, 2019, we conducted our thirteenth round of vulnerability scans and found 4,538 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Friday, November 29, 2019, we conducted our fourteenth round of vulnerability scans and found 4,299 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

Latest Scan Results

Our latest CVE-2019-11510 vulnerability scan results are freely available for authorized CERT, CSIRT, and ISAC teams to review. Please submit a request here and provide the country, ASN, or domain names of your constituency.