CVE-2019-11539

CVE Database · CVE-2019-11539

CVE-2019-11539

· HIGHAnalyzed

CVSS v3.1

7.2

EPSS

98.62%

Published

Apr 25, 2019

Modified

Nov 6, 2025

CISA Known Exploited Vulnerability

Added: 2021-11-03 · Due: 2022-05-03

Apply updates per vendor instructions.

Public PoC / Exploit (4)

All weaponized →

Exploit-DBPulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Remote Code Execution Exploit-DBPulse Secure VPN - Arbitrary Command Execution (Metasploit)TrickestTrickest PoC index GitHub PoC0xDezzy/CVE-2019-11539★132

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-78CWE-78

Affected Products (138)

ivanti · connect_securevulnerable