On Thursday, August 22, 2019, our honeypots detected opportunistic mass scanning activity from a host in Spain targeting Pulse Secure “Pulse Connect Secure” VPN server endpoints vulnerable to CVE-2019-11510. This arbitrary file reading vulnerability allows sensitive information disclosure enabling unauthenticated attackers to access private keys and user passwords. Further exploitation using the leaked credentials can lead to remote command injection (CVE-2019-11539) and allow attackers to gain access inside private VPN networks.

⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️

Mass scanning activity detected from 2.137.127.2 (🇪🇸) checking for @pulsesecure Pulse Connect Secure VPN endpoints vulnerable to arbitrary file reading (CVE-2019-11510).#threatintel pic.twitter.com/fiRUMKjwbE — Bad Packets Report (@bad_packets) August 22, 2019

On Friday, August 23, 2019, our honeypots detected additional mass scanning for CVE-2019-11510 from another host in Spain.

⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️

Mass scanning activity detected from 81.40.150.167 (🇪🇸) checking for @pulsesecure Pulse Connect Secure VPN endpoints vulnerable to arbitrary file reading (CVE-2019-11510) that allows sensitive information disclosure.#threatintel pic.twitter.com/vYEJ1Coa38 — Bad Packets Report (@bad_packets) August 23, 2019

On Thursday, August 29, 2019, our honeypots detected mass scanning activity checking for vulnerable Fortinet and Pulse Secure VPN servers from a host in the United States.

⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️

Mass scanning activity detected from 209.217.227.186 (🇺🇸) attempting to exploit Pulse Secure VPN servers (CVE-2019-11510) and Fortinet FortiGate VPN servers (CVE-2018-13379) vulnerable to sensitive information disclosure.#threatintel pic.twitter.com/UQkgUPSkKo — Bad Packets Report (@bad_packets) August 30, 2019

The exploit activity detected from hosts in Spain attempted to download the “etc/passwd” file which contains the usernames associated with the VPN server (not client accounts). In all cases, a successful “HTTP 200/OK” response to this scan indicates the endpoint is vulnerable to further attacks. Given the ongoing scanning activity, it’s likely attackers have enumerated all publicly accessible Pulse Secure VPN servers vulnerable to CVE-2019-11510.

How many hosts are vulnerable to CVE-2019-11510?

Using data provided by BinaryEdge, we scanned 41,850 Pulse Secure VPN endpoints to ascertain which were vulnerable. On Saturday, August 24, 2019, our scans found a total of 14,528 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510. No sensitive information was disclosed or recorded during our scans as we simply sent a HEAD HTTP request (unlike a GET request that downloads a file) to confirm the arbitrary file reading vulnerability.

Where are the vulnerable hosts located?

Vulnerable hosts were found in 121 countries around the world.

This interactive map shows the total vulnerable hosts found per country. Overall, the most vulnerable Pulse Secure VPN endpoints were located in the United States.

Which organizations are affected by CVE-2019-11510?

2,535 unique autonomous systems (network providers) were found to have vulnerable Pulse Secure VPN endpoints on their network. We’ve discovered this vulnerability currently affects:

U.S. military, federal, state, and local government agencies

Public universities and schools

Hospitals and health care providers

Electric and gas utilities

Major financial institutions

News / Media corporations

Numerous Fortune 500 companies

The list of affected organizations will not be published because this critical vulnerability is easy to exploit using publicly available proof-of-concept code.

Additionally, further exploitation of this vulnerability could allow remote code execution (RCE) on the clients connecting to a compromised VPN server. This technique could be used to spread ransomware and any other type of malware on sensitive networks.

Closing Remarks

Pulse Secure VPN administrators need to immediately ensure they’re not using versions of the “Pulse Connect Secure” server software vulnerable to CVE-2019-11510. Pulse Secure has provided guidance on how to update to fixed versions. There is no workaround for this vulnerability. Given the severity of this sensitive information disclosure vulnerability coupled with the risk of unauthorized access to private networks – there is little time to update before threat actors engage in further malicious activity.

Due to the sensitive nature of these vulnerabilities, the IP addresses of the affected Pulse Secure VPN endpoints will not be published publicly. However, the list is freely available for authorized government CERT, CSIRT, and ISAC teams to review.

We’ve shared our findings directly with US-CERT (CISA/DHS) and other U.S. federal law enforcement agencies for further investigation and remediation. Additionally, we’ve also notified these organizations: A-ISAC, ACSC, aeCERT, AusCERT, CCCS, CERT-Bund, CERT/CC, CERT.be, CERT-FR (ANSSI), CERTGOVIL, CERT-In, CERT Orange Cyberdefense, CERT POLSKA, CERT.PT, CERT NZ, CFCS-DK, CIRCL.LU, CITC-SA, colCERT, CNCERT/CC, E-ISAC, EG-CERT, FS-ISAC, GovCERT.ch, GovCERT.gv.at, GovCERT.HK, GOVCERT.LU, H-ISAC, IL-CERT, INCIBE-CERT, Janet CSIRT, JPCERT/CC, KN-CERT, KPN-CERT, MOD, MS-ISAC, MSRC, NAAEA, NCIIPC, NCFTA, NCIS, NCSC, NCSC-IE, NCSC-NL, Q-CERT, REN-ISAC, SingCERT, ThaiCERT, TR-CERT, TSA, TT-CSIRT, TWCERT/CC, TWNCERT, VNCERT, and Yoroi CERT.

Additional Updates

On Saturday, August, 31, 2019, we conducted another round of vulnerability scanning and found 10,471 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

Total vulnerable Pulse Secure VPN servers by country:

🇺🇸 United States: 3,481

🇯🇵 Japan: 1,381

🇬🇧 United Kingdom: 664

🇫🇷 France: 418

🇩🇪 Germany: 400

🇳🇱 Netherlands: 283

🇰🇷 South Korea: 258

🇧🇪 Belgium: 252

🇮🇱 Israel: 225

🇨🇭 Switzerland: 213

All others: 2,896https://t.co/HVXWLcJZj1 — Bad Packets Report (@bad_packets) September 1, 2019

On Monday, September 1, 2019, JPCERT/CC published an advisory urging Pulse Secure VPN server administrators to the update to the latest version as soon as possible. We thank JPCERT/CC for their assistance in notifying vulnerable organizations in Japan.

"On August 31, 2019, according to Bad Packets, 10,471 hosts were confirmed to be vulnerable, and 1,381 of them were hosts in Japan. Upon receiving this report, JPCERT/CC started contacting administrators of these hosts." https://t.co/u9nXD8yiDS — Bad Packets Report (@bad_packets) September 3, 2019

On Thursday, September 5, 2019, our honeypots detected mass scanning for CVE-2019-11510 from two hosts in Germany. The exploit activity attempted to download the “etc/hosts” file which contains the internal hostnames and IP addresses associated with the VPN server.

⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️

Mass scanning activity detected from 164.68.123.63 (🇩🇪) and 5.189.137.92 (🇩🇪) attempting to exploit Pulse Secure VPN servers vulnerable to arbitrary file read (CVE-2019-11510) leading to sensitive information disclosure of user credentials.#threatintel pic.twitter.com/7uuarIUwWW — Bad Packets Report (@bad_packets) September 5, 2019

On Friday, September 6, 2019, our honeypots detected mass scanning for CVE-2019-11510 from a host in Estonia. The exploit activity attempted to download the “etc/passwd” file which contains the usernames associated with the Pulse Secure VPN server.

⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️

Mass scanning activity detected from 5.101.181.41 (🇪🇪) attempting to exploit Pulse Secure VPN servers vulnerable to arbitrary file read (CVE-2019-11510) leading to disclosure of user credentials and other sensitive information.#threatintel pic.twitter.com/qQg6Zj44gF — Bad Packets Report (@bad_packets) September 6, 2019

On Saturday, September 7, 2019, our honeypots detected mass scanning for CVE-2019-11510 from another host in Estonia.

⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️

Mass scanning activity detected from 5.101.180.68 (🇪🇪) attempting to exploit Pulse Secure VPN servers vulnerable to unauthenticated arbitrary file read (CVE-2019-11510) leading to disclosure of user credentials and other sensitive information.#threatintel pic.twitter.com/t7pMQrGBAl — Bad Packets Report (@bad_packets) September 7, 2019

On Sunday, September 8, 2019, our honeypots detected mass scanning for CVE-2019-11510 from yet another host in Estonia. This was the third time we detected exploit activity originating from the network of “FASTVPS” (AS198068).

⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️

Mass scanning activity detected from 5.101.181.111 (🇪🇪) attempting to exploit Pulse Secure VPN servers vulnerable to unauthenticated arbitrary file read (CVE-2019-11510) leading to disclosure of user passwords and private keys.#threatintel pic.twitter.com/aZuZkLHKtM — Bad Packets Report (@bad_packets) September 8, 2019

On Sunday, September 22, 2019, our honeypots detected mass scanning activity targeting Pulse Secure VPN servers. This activity originated from a host in Russia and a Tor exit node in Sweden.

Someone is also using Tor to scan for Pulse Secure VPN servers. pic.twitter.com/pld5ZTcRYL — Bad Packets Report (@bad_packets) September 23, 2019

On Monday, September 23, 2019, mass scanning activity targeting Pulse Secure VPN servers over Tor continued.

Mass scanning activity targeting Pulse Secure VPN servers, using Tor, is ongoing. The response to this scan will indicate if the server is using a version of Pulse Connect Secure vulnerable to CVE-2019-11510.#threatintel https://t.co/Kw6nmdnRV2 pic.twitter.com/yk2sirZURL — Bad Packets Report (@bad_packets) September 28, 2019

On Monday, October 7, 2019, the NSA has published an advisory on how to mitigate threats targeting Pulse Secure and other enterprise-grade VPN servers.

Both @NCSC and @NSAGov are reporting APTs are actively exploiting CVE-2019-11510. If you're using a vulnerable version of Pulse Secure VPN software (illustrated below) fixed versions are available here: https://t.co/vrSYciVN1u#threatintel https://t.co/YffdQtMCMT pic.twitter.com/9Xp85IYpGf — Bad Packets Report (@bad_packets) October 9, 2019

Additionally, the NCSC has updated their advisory regarding APT activity targeting vulnerable VPN servers and included a link to our disclosure. We thank NCSC for their assistance in notifying impacted organizations in United Kingdom.

On Sunday, October 13, 2019, our honeypots detected opportunistic mass scanning activity from two Amazon Web Services EC2 instances checking for vulnerable Pulse Secure VPN servers.

Mass scanning activity detected from 15.188.47.240 (🇫🇷) checking for Pulse Secure VPN servers vulnerable to CVE-2019-11510.#threatintel https://t.co/rKtB07LqPK — Bad Packets Report (@bad_packets) October 14, 2019

In both cases, these hosts were exploiting CVE-2019-11510 to download the “/etc/passwd” file from targeted servers.

On Wednesday, October 16, 2019, CERT/CC published an advisory and timeline of specific events relating to CVE-2019-11510 which referenced our disclosure. We thank CERT/CC for their assistance in notifying organizations affected by this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) also published an advisory summarizing the multiple vulnerabilities affecting Pulse Secure VPN servers and they urge administrators to apply the necessary updates.

On Wednesday, November 6, 2019, our honeypots detected opportunistic mass scanning activity from an Amazon Web Services EC2 instance checking for Pulse Secure VPN servers vulnerable to CVE-2019-11510.

⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️

Mass scanning activity detected from 52.91.255.126 (🇺🇸) targeting Pulse Secure VPN servers. The response to this scan will indicate if the server is using a version of Pulse Connect Secure vulnerable to CVE-2019-11510 (https://t.co/lXcedIyQSB).#threatintel pic.twitter.com/Of6ZSTZ6oG — Bad Packets Report (@bad_packets) November 7, 2019

On Monday, December 16, 2019, our honeypots detected opportunistic mass scanning activity from an Amazon Web Services EC2 instance in Germany checking for Pulse Secure VPN servers vulnerable to CVE-2019-11510.

Mass scanning activity detected from 18.194.139.142 (🇩🇪) attempting to exploit Pulse Secure VPN servers vulnerable to unauthenticated arbitrary file read (CVE-2019-11510) leading to disclosure of user passwords and private keys.#threatintel pic.twitter.com/QreB9BUPfv — Bad Packets Report (@bad_packets) December 16, 2019

On Tuesday, January 7, 2020, our honeypots detected opportunistic mass scanning activity from multiple Linode hosts checking for Pulse Secure VPN servers vulnerable to CVE-2019-11510.

Mass scanning activity detected from 173.255.200.120 (🇺🇸) checking for Pulse Secure VPN servers. Responses to this scan will indicate if the server is using a version of Pulse Connect Secure vulnerable to CVE-2019-11510 (https://t.co/lXcedIyQSB).#threatintel pic.twitter.com/oCUC3wJlCL — Bad Packets Report (@bad_packets) January 7, 2020

On Friday, January 10, 2020, CISA published an alert regarding the continued exploitation of CVE-2019-11510 and strongly urged affected organizations to patch their Pulse Secure VPN servers to fixed versions.

On Thursday, January 16, 2020, The Wall Street Journal published an investigative report detailing the ransomware attack targeting Travelex and other organizations that still hadn’t patched against CVE-2019-11510.

On Wednesday, March 25, 2020, JPCERT/CC published a summary report advising the remaining affected Pulse Secure VPN users in Japan to patch their vulnerable servers.

On Thursday, April 16, 2020, CISA released on open source tool, aptly named check-your-pulse, for reviewing Pulse Secure VPN server logs for indicators of compromise. CISA noted that organizations that already patched may have been compromised before doing so.

On Friday, April 24, 2020, our honeypots detected coordinated botnet mass scanning activity targeting ASUS routers, Citrix (NetScaler) VPN servers, Fortinet VPN servers, OpenWrt routers, Pulse Secure VPN servers, SMC routers, Ubiquiti routers, and Westell modems.

The ongoing mass scanning botnet activity targeting ASUS routers, Citrix (NetScaler) VPN servers, Fortinet VPN servers, OpenWrt routers, Pulse Secure VPN servers, SMC routers, Ubiquiti routers, and Westell modems is: — Bad Packets Report (@bad_packets) April 28, 2020

This botnet appeared to consist of compromised corporate (business) servers and customers of cloud providers – such as Alibaba, AWS, Azure, Google, Oracle, and others. Bad Packets® CTI users can query our API to receive a full list of compromised hosts that need immediate remediation.

Weekly CVE-2019-11510 Scan Results

Between Sunday, September 8, 2019 and Monday, September 9, 2019 we conducted another round of CVE-2019-11510 vulnerability scanning and found 9,002 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Monday, September 16, 2019, we performed additional CVE-2019-11510 vulnerability scans and found 7,712 vulnerable Pulse Secure VPN servers.

On Monday, September 23, 2019, we completed our weekly CVE-2019-11510 scans and found 7,081 vulnerable Pulse Secure VPN servers.

On Monday, September 30, 2019, we completed our weekly scans and found 6,527 vulnerable Pulse Secure VPN servers.

On Monday, October 7, 2019, we completed our weekly CVE-2019-11510 scans and found 6,018 vulnerable Pulse Secure VPN servers.

On Monday, October 14, 2019, we completed our weekly CVE-2019-11510 scans and found 5,640 Pulse Secure VPN servers worldwide remain vulnerable.

On Monday, October 21, 2019, we completed our ninth round of CVE-2019-11510 scans and found 5,285 vulnerable Pulse Secure VPN servers worldwide.

On Monday, October 28, 2019, we completed our tenth round of vulnerability scans and found 5,080 Pulse Secure VPN servers vulnerable to CVE-2019-11510.

On Monday, November 4, 2019, we conducted our eleventh round of vulnerability scans and found 4,889 vulnerable Pulse Secure VPN servers.

On Monday, November 11, 2019, we conducted our twelfth round of vulnerability scans and found 4,716 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Monday, November 18, 2019, we conducted our thirteenth round of vulnerability scans and found 4,538 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Friday, November 29, 2019, we conducted our fourteenth round of vulnerability scans and found 4,299 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Friday, December 6, 2019, we conducted our fifteenth round of vulnerability scans and found 4,182 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Friday, December 13, 2019, we conducted our sixteenth round of vulnerability scans and found 4,021 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Friday, December 20, 2019, we conducted our seventeenth round of vulnerability scans and found 3,905 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Friday, December 27, 2019, we conducted our eighteenth round of vulnerability scans and found 3,826 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Friday, January 3, 2020, we conducted our nineteenth round of vulnerability scans and found 3,825 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Friday, January 10, 2020, we conducted our twentieth round of vulnerability scans and found 3,623 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Friday, January 17, 2020, we conducted our twenty-first round of vulnerability scans and found 3,328 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Friday, January 24, 2020, we conducted our twenty-second round of vulnerability scans and found 3,149 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Friday, February 20, 2020, we conducted our twenty-third round of vulnerability scans and found 2,495 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Tuesday, March 3, 2020, we conducted our twenty-fourth round of vulnerability scans and found 2,322 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

On Tuesday, March 23, 2020, we conducted our twenty-fifth round of vulnerability scans and found 2,099 Pulse Secure VPN servers worldwide remain vulnerable to compromise.

Total vulnerable Pulse Secure VPN servers by country:

🇺🇸 United States: 562

🇯🇵 Japan: 298

🇰🇷 South Korea: 135

🇬🇧 United Kingdom: 126

🇨🇳 China: 104

🇩🇪 Germany: 87

🇭🇰 Hong Kong: 76

🇫🇷 France: 68

🇹🇼 Taiwan: 54

🇨🇭 Switzerland: 49

🌎 All others: 540https://t.co/7Fu1r7T3ot — Bad Packets Report (@bad_packets) March 24, 2020

How to obtain our CVE-2019-11510 report

Our latest CVE-2019-11510 vulnerability scan results are freely available for authorized government CERT, ISAC, and law enforcement teams to review. Please submit a request here and provide the country, ASN, or domain names of your constituency.