Pulse Secure VPN Endpoints

Pulse Secure “Pulse Connect Secure” VPN describes itself as:

a seamless, cost-effective, SSL VPN solution for remote and mobile users from any web-enabled device to corporate resources

So, it's no surprise it is used by Enterprises but also Governments around the world.

On August 22, 2019, our honeypots started detecting mass scanning activity targeting Pulse Secure “Pulse Connect Secure” VPN server endpoints vulnerable to CVE-2019-11510. This vulnerability was addressed by Pulse Secure on 24th April 2019.

In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .

In a summary, it allows unauthenticated attackers to read sensitive information like private keys and user passwords; Having access to those credentials, attackers could then take advantage of CVE-2019-11539, allowing attackers to gain access inside private VPN networks.

Number of Pulse VPN Detected

In the last week of August we ran a worldwide scan to understand the versions of the exposed Pulse Secure VPN Endpoints. Based on a simple HTTPS Request on port 443, this is the data gathered:


Top 20 Pulse VPN Versions Detected

Version Count 12318 3045 2326 2019 1846 1517 1405 1248 870 798 652 636 626 613 562 416 360 300 298 279

Organizations (Based on Reverse DNS)

Parent Domain Count
akamaitechnologies.com 3465
rima-tde.net 325
expedient.com 301
comcastbusiness.net 245
amazonaws.com 211
virtela.net 202
hinet.net 167
rr.com 129
ucom.ne.jp 113
belgacom.be 111
bezeqint.net 99
vectant.ne.jp 88
qwest.net 86
sfr.net 69
ocn.ne.jp 68
lightower.net 67
kpn.net 65
accenture.com 51
cox.net 49
vsnl.net.in 49

On a final note, Organizations should ensure their systems are patched As Soon As Possible.