VPN appliances are supposed to be the gatekeepers. They're the devices organizations trust to control access to their most sensitive internal networks. So when Pulse Secure disclosed CVE-2021-22893 in April 2021 — a zero-day authentication bypass with a perfect CVSS score of 10.0 — it wasn't just another vulnerability. It was a fundamental betrayal of the trust model that thousands of organizations depended on.
The Vulnerability
CVE-2021-22893 is an authentication bypass vulnerability in Pulse Connect Secure (PCS) VPN appliances. An unauthenticated attacker could exploit it to achieve remote code execution on the appliance, gaining full control without ever needing valid credentials.
The vulnerability existed in the way the Pulse Secure gateway handled specific HTTP requests. By sending a crafted request to certain endpoints, attackers could bypass authentication entirely and execute arbitrary code as root. No username, no password, no MFA — just a specially crafted HTTP request.
The CVSS 10.0 score was warranted. This was about as bad as it gets: remote, unauthenticated, no user interaction required, and full system compromise.
Who Was Behind It
This wasn't the work of opportunistic criminals. Multiple Chinese state-sponsored threat groups — tracked as UNC2630 and UNC2717 by Mandiant (now part of Google Cloud) — had been exploiting this vulnerability since at least October 2020, six months before public disclosure.
The targets were exactly what you'd expect from a nation-state operation:
- US defense contractors working on sensitive military programs
- Financial institutions with access to strategic economic data
- Government agencies across the US and Europe
- Critical infrastructure operators
CISA issued Emergency Directive 21-03, ordering federal agencies to run the Pulse Secure Integrity Checker Tool and report results within five days. This was the first emergency directive specifically targeting a VPN appliance.
The Attack Chain
The attackers didn't just exploit the vulnerability and move on. They deployed a sophisticated set of web shells and malware specifically designed for Pulse Secure appliances:
SLOWPULSE
A modified shared object that hooks into the Pulse Secure authentication flow. SLOWPULSE intercepts legitimate authentication routines and allows the attacker to bypass MFA, log credentials in plaintext, and maintain persistent access even after the vulnerability is patched.
RADIALPULSE
A utility web shell that harvests credentials from Pulse Secure's LDAP and RADIUS authentication flows, providing the attackers with valid credentials for lateral movement into the target network.
ATRIUM
A web shell inserted into Pulse Secure's legitimate web application files, providing persistent remote access through the appliance's normal HTTPS interface.
PULSEJUMP
A credential harvesting tool designed to capture authentication data in real-time as users log into the VPN.
The sophistication of these tools is notable. They weren't generic post-exploitation frameworks — they were purpose-built for Pulse Secure's architecture, suggesting the attackers had deep knowledge of the product's internals.
The Persistence Problem
What made this campaign particularly dangerous was the persistence mechanism. The attackers modified Pulse Secure's upgrade scripts so that their malware would survive appliance updates and patches. When an administrator applied the security update for CVE-2021-22893, the web shells and credential harvesters remained in place.
This meant that organizations that diligently patched their Pulse Secure appliances believed they were safe when they weren't. The only way to confirm a clean system was to run Pulse Secure's Integrity Checker Tool — and even that had limitations in early versions.
Several organizations discovered they had been compromised for months, with attackers harvesting credentials and accessing internal systems long after the initial vulnerability was addressed.
The Broader VPN Problem
CVE-2021-22893 wasn't an isolated incident for Pulse Secure. The product had a troubled security history:
- CVE-2019-11510: An arbitrary file read vulnerability exploited widely in 2019-2020
- CVE-2020-8243: A code injection vulnerability in the admin interface
- CVE-2020-8260: An unrestricted file upload vulnerability
Each of these vulnerabilities was exploited in the wild, often by nation-state actors. The pattern was clear: Pulse Secure VPN appliances were a high-value target, and new vulnerabilities kept appearing.
This isn't unique to Pulse Secure. Fortinet, Citrix, SonicWall, and Palo Alto Networks VPN products have all had critical vulnerabilities exploited in the wild. VPN appliances sit at the network edge, they're internet-facing, and they have access to everything behind them. They're the most attractive target on any network.
What Should Have Been Done Differently
1. Network Segmentation Behind the VPN
Many organizations treated the VPN as a binary trust boundary: you're either outside (untrusted) or inside (trusted). Once an attacker compromised the VPN appliance, they had the same network access as any authenticated user. Zero-trust network architecture, where every access request is verified regardless of source, would have limited the blast radius significantly.
2. Appliance Integrity Monitoring
Organizations need to monitor the integrity of their edge appliances, not just patch them. File integrity monitoring on the Pulse Secure appliance would have detected the modified system files and web shells. Most organizations had no monitoring of any kind on their VPN appliances.
3. Credential Rotation After Compromise
Even after patching, if an attacker had access to a VPN appliance for months, every credential that passed through it should be considered compromised. Many organizations patched and moved on without rotating credentials, leaving the attackers' harvested credentials valid.
4. Redundant Authentication
If your VPN is your only authentication gateway, its compromise means total compromise. Organizations should implement authentication mechanisms that don't solely depend on the VPN appliance — mutual TLS, certificate-based authentication, or hardware security keys that the appliance can't intercept.
CISA's Response and Industry Impact
The emergency directive from CISA was significant because it acknowledged that VPN appliances are critical infrastructure in their own right. The directive required federal agencies to:
- Run the Pulse Secure Integrity Checker Tool
- Report any indication of compromise within 24 hours
- Isolate compromised appliances immediately
- Provide forensic images for CISA analysis
This response set a precedent for how government agencies handle compromised network edge devices and led to increased scrutiny of VPN appliance security across the federal government.
How Safeguard.sh Helps
Safeguard.sh provides the visibility and monitoring capabilities that were missing in the Pulse Secure campaign:
- Continuous Vulnerability Monitoring: Safeguard.sh tracks CVEs against your actual infrastructure inventory, ensuring you know about vulnerabilities like CVE-2021-22893 the moment they're disclosed and can prioritize remediation.
- Software Integrity Verification: By maintaining SBOMs and tracking software component changes, Safeguard.sh helps detect unauthorized modifications to critical infrastructure components.
- Patch Verification: Safeguard.sh doesn't just track whether a patch was applied — it verifies that your environment is actually running the patched version, catching cases where persistence mechanisms survive updates.
- Risk Prioritization: When multiple vulnerabilities exist in your environment, Safeguard.sh helps prioritize based on exploitability, exposure, and business impact, ensuring critical edge devices get immediate attention.
The Pulse Secure campaign proved that your security infrastructure can be your biggest vulnerability. Safeguard.sh ensures you have continuous visibility into every component of your security stack.