vulnerability

Pulse Secure Pulse Connect Secure: SA45476 - Client Side Desync Attack (Informational)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:M/Au:S/C:P/I:P/A:N)	Feb 14, 2023	May 21, 2024	May 18, 2026

Severity

CVSS

(AV:N/AC:M/Au:S/C:P/I:P/A:N)

Published

Feb 14, 2023

Added

May 21, 2024

Modified

May 18, 2026

Description

A Client-Side Desync (CSD) Attack affects the Pulse Collaboration feature in Pulse Connect Secure. The attack requires an authenticated user and requires full control over an authenticated session. This is possible between a client machine and the VPN (Pulse Connect Secure) server. The Pulse Collaboration feature that is the target of this attack is not available in release 9.1R16 or any releases post 9.1R16.

Solution

pulse-secure-pulse-connect-secure-upgrade-9_1r16

References

CVE-2022-21826
https://attackerkb.com/topics/CVE-2022-21826
https://forums.ivanti.com/s/article/Client-Side-Desync-Attack?language=en_US
https://euvd.enisa.europa.eu/vulnerability/EUVD-2022-26985
CWE-444
EUVD-EUVD-2022-26985

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report