Threats / Ivanti / CVE-2020-8243
CVE-2020-8243
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Ivanti Pulse Connect Secure vulnerability
Ivanti Pulse Connect Secure contains a code execution vulnerability in the admin web interface allowing authenticated attackers to upload malicious custom templates.
Verdict
Today item — known-exploited.
An authenticated attacker can exploit improper code evaluation in template handling to achieve remote code execution on Pulse Connect Secure systems. This vulnerability has been observed in active exploitation.
01
Is it exploitable?
— the evidence, ranked above the scoreReported exploitation
7 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03).
Probability (EPSS)
EPSS 0.90759 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Ivanti, Pulse Connect Secure. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-94 Code Injection — weakness family: Injection.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I gain valid credentials or session access to the Pulse Connect Secure admin interface through phishing, credential compromise, or insider access.
Business
Administrative credentials represent a critical security perimeter; their compromise enables direct system manipulation.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I craft a malicious custom template file containing executable code that bypasses template validation.
Business
Template upload functionality intended for legitimate customization becomes a code injection vector.
3
Lateral reach — past segmentation narrative 3
Attacker
I upload the template through the admin interface, triggering unsafe code evaluation during template processing.
Business
The system executes attacker-controlled code with the privileges of the Pulse Connect Secure process.
4
Data at risk — exfiltration narrative 4
Attacker
I establish command execution and persistence on the VPN gateway, enabling lateral movement into the protected network.
Business
Compromise of the VPN appliance grants attackers direct access to internal network resources and sensitive data.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05