CVE-2021-22900 Ivanti CVE debrief

Who should care

Organizations running Ivanti Pulse Connect Secure, especially security teams responsible for internet-facing VPN appliances, patch management, and incident response.

Technical summary

The vulnerability is described by CISA as an unrestricted file upload issue in Ivanti Pulse Connect Secure. Because it is included in CISA’s KEV catalog, defenders should treat it as an actively exploited issue and prioritize remediation using vendor-provided updates and any related CISA guidance.

Defensive priority

High. This is a KEV-listed vulnerability with a CISA due date of 2022-05-03, so remediation should be prioritized ahead of routine maintenance windows.

Recommended defensive actions

• Apply the vendor-recommended updates for Ivanti Pulse Connect Secure as directed by CISA.
• Inventory all Pulse Connect Secure instances, including internet-facing appliances and any shadow deployments.
• Validate that affected systems are patched and that the remediation matches the vendor instructions referenced by CISA.
• Review authentication, admin, and file-upload related logs for signs of suspicious activity around exposed VPN appliances.
• Follow CISA Emergency Directive 21-03 guidance where applicable and confirm compliance with any required mitigation steps.

Evidence notes

The source corpus identifies CVE-2021-22900 as a CISA Known Exploited Vulnerability for Ivanti Pulse Connect Secure, with dateAdded 2021-11-03 and dueDate 2022-05-03. The KEV metadata states "Apply updates per vendor instructions" and points to CISA ED 21-03 for further guidance. No CVSS score was supplied in the corpus.

Official resources