Rapid7 Vulnerability & Exploit Database

Pulse Secure VPN Arbitrary Command Execution

Back to Search

Pulse Secure VPN Arbitrary Command Execution



This module exploits a post-auth command injection in the Pulse Secure VPN server to execute commands as root. The env(1) command is used to bypass application whitelisting and run arbitrary commands. Please see related module auxiliary/gather/pulse_secure_file_disclosure for a pre-auth file read that is able to obtain plaintext and hashed credentials, plus session IDs that may be used with this exploit. A valid administrator session ID is required in lieu of untested SSRF.


  • Orange Tsai
  • Meh Chang
  • wvu <wvu@metasploit.com>




cmd, x86, x64


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/linux/http/pulse_secure_cmd_exec
msf exploit(pulse_secure_cmd_exec) > show targets
msf exploit(pulse_secure_cmd_exec) > set TARGET < target-id >
msf exploit(pulse_secure_cmd_exec) > show options
    ...show and set options...
msf exploit(pulse_secure_cmd_exec) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security