CVE-2019-11510 Explained: Pulse Secure VPN Arbitrary File Read and Credential Theft
A CVSS 10.0 pre-authentication arbitrary file read in Pulse Secure VPN appliances. Cached credentials extracted from thousands of government and enterprise VPN gateways and sold on criminal forums years later.
Founder & Cybersecurity Evangelist
CVE-2019-11510 is a pre-authentication arbitrary file read vulnerability in Pulse Connect Secure SSL VPN appliances. Disclosed in August 2019, it scores a perfect 10.0 on the CVSS v3 scale. An unauthenticated attacker who can reach the VPN's HTTPS management or user portal can craft a URL that causes the device to serve arbitrary files from its filesystem — including its sensitive configuration database containing cached user credentials.
The vulnerability was immediately weaponized. Credentials extracted from thousands of enterprise and government VPN gateways were publicly posted, sold on criminal forums, and incorporated into nation-state offensive toolkits. CISA issued multiple advisories. Despite this, exploitation remained active for years — because many organizations were unaware they were running vulnerable firmware, and because some organizations patched but failed to rotate the credentials that had already been stolen.
How CVE-2019-11510 Works: URL Traversal to Credential Database
The vulnerability is a path traversal flaw in the Pulse Connect Secure web server's URL handling. Certain URL paths intended for internal use do not enforce authentication checks. By manipulating the URL path with traversal sequences, an unauthenticated attacker can force the VPN appliance to read and return arbitrary files from the underlying filesystem.
The most impactful file accessible via CVE-2019-11510 is the session cache file, which stores session tokens, VPN configuration data, and — critically — cached plaintext or easily reversible credentials for Active Directory accounts that have authenticated through the VPN.
A single HTTP request to a crafted URL on a vulnerable Pulse Secure appliance returns the configuration database. Automated tools published within days of disclosure could scan the entire internet-facing Pulse Secure population and extract credentials in bulk. By the time most organizations became aware of the advisory, their credentials had already been extracted.
Affected products and versions include Pulse Connect Secure 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4. Pulse Policy Secure is also affected. The web administration portal and the user VPN portal are both vulnerable.
Identify exposed Pulse Secure appliances
Scan internet-facing infrastructure for Pulse Secure VPN portals. The login page is distinctive and widely indexed by Shodan and Censys. Automated scanners identified over 14,500 exposed appliances within days of public disclosure.
Send path traversal request
Craft an unauthenticated HTTP GET request to a URL with a path traversal sequence targeting the session cache or configuration file. No session cookie, authentication token, or prior interaction is required.
Receive credential database
The VPN appliance returns the requested file in the HTTP response body. The session cache contains session tokens, plaintext passwords for local accounts, and cached Windows domain credentials.
Extract and crack credentials
Parse the returned database for usernames, passwords, and domain credentials. Many stored credentials are in recoverable formats. Domain credentials can be used for Active Directory authentication, VPN access, and email.
Use credentials for access
Use extracted VPN credentials to authenticate to the VPN as legitimate users, gaining internal network access. Use domain credentials for lateral movement, email access, and secondary target identification.
Long-Tail Exploitation: Why CVE-2019-11510 Kept Working for Years
CVE-2019-11510 demonstrates a distinctive exploitation pattern: initial mass credential extraction followed by long-tail exploitation of those credentials years after the vulnerability was patched.
In August 2020 — a full year after disclosure — CISA Advisory AA20-010A warned that credentials extracted via CVE-2019-11510 were still being actively used to compromise targets. Organizations that had patched the VPN firmware but not rotated the credentials that were already stolen remained exposed. The vulnerability was closed; the breach was ongoing.
In 2020, a criminal forum published a list of over 900 enterprise and government Pulse Secure VPN server IP addresses with associated plaintext credentials extracted via CVE-2019-11510. The list included organizations in the healthcare, financial services, and defense sectors, as well as US government agencies.
Nation-state actors attributed to Iran, China, and Russia were all observed exploiting CVE-2019-11510, both during the initial exploitation wave and during the long-tail phase using cached credentials. Ransomware groups — particularly REvil and related affiliates — used extracted credentials as initial access for ransomware deployment campaigns.
“Organizations that have not applied the Pulse Secure VPN patch and rotated all associated credentials should assume they have been compromised and investigate accordingly.”
— CISA Advisory AA20-010A, January 2020
Patching and Remediating CVE-2019-11510
Pulse Secure released patches in April 2019, four months before the public advisory. If you are still running vulnerable firmware, you have been exposed for years. The remediation has three mandatory steps: patch, rotate credentials, and investigate for compromise.
Upgrade Pulse Connect Secure firmware immediately
Upgrade to 8.2R12.1, 8.3R7.1, 9.0R3.4, or any later release. Check your current version via the admin console under System > Status. Any version below the thresholds above is vulnerable.
Rotate ALL credentials used with the VPN — mandatory
Patching does not protect credentials that were already stolen. Rotate every domain account, local account, and service account whose credentials passed through the Pulse Secure VPN. This includes account passwords, not just VPN certificates. This step is non-negotiable.
Revoke and reissue all VPN certificates and tokens
Revoke and reissue all device certificates, user certificates, and session tokens associated with the VPN appliance. The credential store accessible via CVE-2019-11510 may include certificate private keys depending on configuration.
Investigate for signs of compromise
Examine VPN access logs for connections from unusual geographic locations or unfamiliar devices during the exposure window (any time between original firmware deployment and patching). Cross-reference with your SIEM for anomalous activity following those connections.
Implement multi-factor authentication on VPN access
Credential theft via CVE-2019-11510 is only useful if credentials alone provide VPN access. Enforcing MFA on all VPN connections ensures that stolen username/password pairs cannot be used without a second factor. This is the most effective long-term protection against credential-based VPN attacks.
The bottom line
CVE-2019-11510 is a master class in why patching alone is insufficient when a credential-exposing vulnerability has been exploited at scale. The patch closes the file read. It does not close the Active Directory accounts whose passwords were in that file. It does not invalidate the session tokens that were cached. It does not undo months of access by threat actors who connected with the stolen credentials before the patch was applied.
Organizations that patched CVE-2019-11510 without rotating credentials discovered this the hard way — when ransomware operators used years-old extracted VPN credentials for initial access. The complete remediation is patch plus credential rotation plus compromise investigation. All three. In parallel.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.