CVE-2020-8260

unknown KEV

Published 2021-11-03 · Modified 2021-11-03

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

2.5

Description

Pulse Connect Secure contains an unspecified vulnerability that allows an authenticated attacker to perform code execution using uncontrolled gzip extraction.

CISA KEV

Vendor: Ivanti
Product: Pulse Connect Secure
Due date: 2022-05-03

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

{Vendor advisory: cisa-kev — Reference CISA's ED 21-03 (https://www.cisa.gov/news-events/directives/ed-21-03-mitigate-pulse-connect-secure-product-vulnerabilities) for further guidance and requirements. Note: The due date for addressing this vulnerability aligns with the requirements outlined in ED 21-03. https://nvd.nist.gov/vuln/detail/CVE-2020-8260}

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Metasploit modules

exploit_linux/http/pulse_secure_gzip_rce rank 600

Pulse Secure VPN gzip RCE

Source fetch failed: fetch_error — view the original via the link above.

References

Reference CISA's ED 21-03 (https://www.cisa.gov/news-events/directives/ed-21-03-mitigate-pulse-connect-secure-product-vulnerabilities) for further guidance and requirements. Note: The due date for addressing this vulnerability aligns with the requirements outlined in ED 21-03. https://nvd.nist.gov/vuln/detail/CVE-2020-8260

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.