Ivanti Pulse Engineering teams are aware of these vulnerabilities and we will keep this KB updated, .
Product | CVSS Score / Exploitability if Applicable | Impact | Fix | Pulse Secure Virtual Traffic Manager | | Affected | vTM 22.1 (April 2022) | Pulse Secure Services Director | CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Pulse Secure Services Director is potentially vulnerable, however, is only accessible to users with admin level privileges. The attack vector is highly complex and requires admin level privileges so exploitability factor is low. | Affected | TBD | Pulse Secure Web Application Firewall | CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Some configuration management features are potentially vulnerable however these features are only accessible to users with admin level privileges. The attack vector is highly complex and requires admin level privileges so exploitability factor is low. | Affected | To be Bundled with vTM 22.1 (Tentative for April, 2022) | Pulse Connect Secure | CVSS Score 7.5 CVSS3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H For this to be successfully exploited on the PCS Server, an authenticated user session between Client and Server is required. This makes the attack vector highly complex and exploitability factor medium to low. | Affected | 9.1R15 (Tentative for April, 2022) | Ivanti Connect Secure (ICS) | CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H For this to be successfully exploited on the PCS Server, an authenticated user session between Client and Server is required. This makes the attack vector highly complex and exploitability factor medium to low. | Affected | 22.3 (Tentative for April, 2022) | Pulse Policy Secure | N/A | Not Affected | | Pulse Desktop Client | CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H For the exploit to succeed on the endpoint target, it requires an authenticated user session between Client and Server and the Server to be in compromised state. This makes the attack vector highly complex and exploitability factor medium to low. | Affected | Pulse 9.1R15 (Tentative for April, 2022) | Pulse Mobile Client | N/A | Not Affected | | Pulse One | N/A | Not Exploitable* | | Ivanti Neurons for ZTA | N/A | Not Vulnerable** | | Ivanti Neurons for secure Access | N/A | Not Vulnerable** | |
|
* When package/Library is present but not used.
** When package/Library is present and used but it does not have the connectors (Prerequisites) to be vulnerable.