Pulse Secure has released a fix for a critical Post-Authentication Remote Code Execution (RCE) vulnerability in its Connect Secure Virtual Private Network (VPN) appliances to address an incomplete patch for an actively exploited bug that was previously released in October 2020 has been fixed.
“The Pulse Connect Secure Appliance suffers from an uncontrolled archive extraction vulnerability that allows an attacker to overwrite any file, resulting in remote code execution as root,” said Richard Warren. from the NCC Group disclosed on Friday. “This vulnerability is a bypass of the patch for CVE-2020-8260. “
“An attacker with such access can bypass any restrictions imposed by the web application and remount the file system so that he can create a persistent backdoor, extract and decrypt credentials, compromise VPN clients or break into the internal network. “Added Warren.
The disclosure comes days after Ivanti, the company behind Pulse Secure, published a notice for as many as …