Rapid7 Analysis: CVE-2021-22893

On Tuesday, April 20, 2021, security firm FireEye published detailed analysis of multiple APT campaigns targeting vulnerabilities in Ivanti’s Pulse Connect Secure VPN. According to FireEye’s analysis, threat actors have been leveraging multiple techniques to bypass single and multi-factor authentication on Pulse Secure VPN devices, establish persistence across updates, and maintain access via webshells. One of the vulnerabilities under active exploitation by multiple threat groups is CVE-2021-22893, a zero-day authentication bypass detailed in an out-of-band Pulse Secure security advisory published April 20, 2021. The vulnerability allows remote, unauthenticated attackers to execute arbitrary code and carries a CVSSv3 base score of 10.

Affected versions

9.0R3 and higher of Pulse Connect Secure devices

According to Pulse Secure’s advisory, older versions are not affected.

Rapid7 analysis

CVE-2021-22893 mitigation file Workaround-2104.xml contains encrypted content:

<configuration xmlns="http://xml.pulsesecure.net/ive-sa/9.0R5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" iveData="3166" saData="3104">
    <system>
        <configuration>
            <security>
            <blacklists>
                    <patch>
                        <name>2104-a</name>
                        <content-encrypted>3u+UR6n8AgABAAAAkMVZR4MWAWw8PJFpYwTzo/15TvQnKFfLbsJa7faJbBaMaBb2eYML+wMCviGQhDOu</content-encrypted>
                    </patch>
                    <patch>
                        <name>2104-b</name>
                        <content-encrypted>3u+UR6n8AgABAAAAL5MzPwRL3TN4CW7T0Sw/XJxpCut18uLfFj+ggllEaP+0tqz5nsfv1+EMBgPBCfXR</content-encrypted>
                    </patch>
                    <patch>
                        <name>2104-c</name>
                        <content-encrypted>3u+UR6n8AgABAAAAHKgo/bDnsClZHYtGvqVQukYo27henSaachy3VzDugEr3fCQfUxd4lTBiCAzqEeXQ</content-encrypted>
                    </patch>
                    <patch>
                        <name>2104-d</name>
                        <content-encrypted>3u+UR6n8AgABAAAAcrasNQDd0ZJPX2Bm0+5RAPSBFPfG3lQ6R8De0SqBSXUfIfvr4dH6bmrux6dEMEm4</content-encrypted>
                    </patch>
                    <patch>
                        <name>2104-e</name>
                        <content-encrypted>3u+UR6n8AgABAAAAAn2J/w07x+MjLatn9i8fRZUndUlJmY0+I8l2IT//1sUvIdcPCGQOStDB5e95cAap</content-encrypted>
                    </patch>
                </blacklists>
           </security>
        </configuration>
    </system>
</configuration>

<configuration xmlns="http://xml.pulsesecure.net/ive-sa/9.0R5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" iveData="3166" saData="3104">
    <system>
        <configuration>
            <security>
            <blacklists>
                    <patch>
                        <name>2104-a</name>
                        <content-encrypted>3u+UR6n8AgABAAAAkMVZR4MWAWw8PJFpYwTzo/15TvQnKFfLbsJa7faJbBaMaBb2eYML+wMCviGQhDOu</content-encrypted>
                    </patch>
                    <patch>
                        <name>2104-b</name>
                        <content-encrypted>3u+UR6n8AgABAAAAL5MzPwRL3TN4CW7T0Sw/XJxpCut18uLfFj+ggllEaP+0tqz5nsfv1+EMBgPBCfXR</content-encrypted>
                    </patch>
                    <patch>
                        <name>2104-c</name>
                        <content-encrypted>3u+UR6n8AgABAAAAHKgo/bDnsClZHYtGvqVQukYo27henSaachy3VzDugEr3fCQfUxd4lTBiCAzqEeXQ</content-encrypted>
                    </patch>
                    <patch>
                        <name>2104-d</name>
                        <content-encrypted>3u+UR6n8AgABAAAAcrasNQDd0ZJPX2Bm0+5RAPSBFPfG3lQ6R8De0SqBSXUfIfvr4dH6bmrux6dEMEm4</content-encrypted>
                    </patch>
                    <patch>
                        <name>2104-e</name>
                        <content-encrypted>3u+UR6n8AgABAAAAAn2J/w07x+MjLatn9i8fRZUndUlJmY0+I8l2IT//1sUvIdcPCGQOStDB5e95cAap</content-encrypted>
                    </patch>
                </blacklists>
           </security>
        </configuration>
    </system>
</configuration>

The decrypted content can be retrieved from cache using the /home/bin/dsget command:

root@localhost2:/# for i in {a..e}; do dsget "/vc0/config/blacklists/patch_2104-$i/content"; done
< {a..e}; do dsget "/vc0/config/blacklists/patch_2104-$i/content"; done
^/+dana/+meeting
^/+dana/+fb/+smb
^/+dana-cached/+fb/+smb
^/+dana-ws/+namedusers
^/+dana-ws/+metric
root@localhost2:/#

root@localhost2:/# for i in {a..e}; do dsget "/vc0/config/blacklists/patch_2104-$i/content"; done
< {a..e}; do dsget "/vc0/config/blacklists/patch_2104-$i/content"; done
^/+dana/+meeting
^/+dana/+fb/+smb
^/+dana-cached/+fb/+smb
^/+dana-ws/+namedusers
^/+dana-ws/+metric
root@localhost2:/#

Endpoints matching the URI patterns above typically require authentication.

Guidance

Pulse Secure has issued a workaround in the form of an XML file that mitigates CVE-2021-22893 until a more permanent patch is available. Pulse Connect Secure customers should import the Workaround-2104.xml file, which blocks access to the Windows File Share Browser and Pulse Secure Collaboration features on the PCS appliance. According to the company’s out-of-band advisory, they are using an existing blocklist feature to disable the URL-based attack. Rapid7 researchers were able to decrypt the blocklist’s URI patterns, which are as follows:

^/+dana/+meeting
^/+dana/+fb/+smb
^/+dana-cached/+fb/+smb
^/+dana-ws/+namedusers
^/+dana-ws/+metric

In addition to applying the workaround, customers may want to block these patterns at their network perimeter (requires an inline load balancer capable of performing SSL decryption). Pulse Secure has since updated their advisory with the unencrypted patterns. Customers with shell access to their appliance may run the following command to confirm that the blocklist is in place:

for i in {a..e}; do /home/bin/dsget "/vc0/config/blacklists/patch_2104-$i/content"; done

for i in {a..e}; do /home/bin/dsget "/vc0/config/blacklists/patch_2104-$i/content"; done

Pulse Connect Secure customers running versions 9.0R3 and up should apply the workaround immediately, without waiting for a regular patch or maintenance cycle to occur. We would also advise running Ivanti’s Integrity Tool to examine your Pulse Connect Secure images for files that may have been maliciously altered or added.

References

https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784 (CVE-2021-22893)
https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755 (Pulse Connect Secure Integrity Tool)

Rapid7 Analysis: CVE-2021-22893

Affected versions

Rapid7 analysis

Guidance

References

Article Tags

Related blog posts

Criminal AI-as-a-Service in 2026: How the Underground Market Is Operationalizing Cybercrime

CVE-2026-0826: How an Old Bug Can Feed AI-Powered Impersonation

CVE-2026-0826: Critical unauthenticated stack buffer overflow in HP Poly VVX and Trio VoIP Phones (FIXED)

CVE-2026-52806: Authenticated RCE via Argument Injection in Gogs (FIXED as of June 7, 2026)

Related blog posts

Criminal AI-as-a-Service in 2026: How the Underground Market Is Operationalizing Cybercrime

CVE-2026-0826: How an Old Bug Can Feed AI-Powered Impersonation

CVE-2026-0826: Critical unauthenticated stack buffer overflow in HP Poly VVX and Trio VoIP Phones (FIXED)

CVE-2026-52806: Authenticated RCE via Argument Injection in Gogs (FIXED as of June 7, 2026)