Threats / Ivanti / CVE-2020-8260
CVE-2020-8260
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Ivanti Pulse Connect Secure vulnerability
Pulse Connect Secure contains an uncontrolled gzip extraction vulnerability allowing authenticated attackers to execute arbitrary code.
Verdict
Today item — known-exploited.
An authenticated attacker can exploit improper handling of gzip-compressed files in Pulse Connect Secure to achieve code execution. The vulnerability has been observed in active exploitation.
01
Is it exploitable?
— the evidence, ranked above the scoreReported exploitation
15 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03).
Probability (EPSS)
EPSS 0.9648 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Ivanti, Pulse Connect Secure. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-434 Unrestricted File Upload — weakness family: Path traversal / file.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I authenticate to Pulse Connect Secure using valid credentials.
Business
Legitimate user accounts or compromised credentials provide initial access to the system.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I upload or submit a malicious gzip-compressed file that bypasses extraction validation.
Business
The application processes untrusted archive content without proper integrity or path checks.
3
Lateral reach — past segmentation narrative 3
Attacker
I craft the archive to extract files to arbitrary locations or with malicious payloads.
Business
Uncontrolled extraction writes attacker-controlled data to the server filesystem.
4
Data at risk — exfiltration narrative 4
Attacker
I execute arbitrary code on the target system through the extracted files.
Business
The attacker gains full code execution capability within the Pulse Connect Secure process context.
5
Lights out — disruption & extortion narrative 5
Attacker
I establish persistence and move laterally through the network infrastructure.
Business
The VPN gateway is compromised, enabling breach of protected internal networks and data exfiltration.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05