Skip to main content

CVE-2021-22893 - Pulse Connect Secure RCE

This Playbook is part of the Rapid Breach Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

On April 20th, a new Remote Code Execution vulnerability in Pulse Connect Secure was disclosed. The reference number for the vulnerability is CVE-2021-22893 with the CVSS Score of 10.0. This playbook should be trigger manually and includes the following tasks:

  • Enrich related known CVEs and Malware Hashes used by the suspected APT actor.
  • Search for unpatched endpoints vulnerable to the exploits.
  • Search network facing system using Expanse for relevant issues.
  • Indicators and known webshells hunting using SIEM products.
  • Block indicators automatically or manually.
  • Provide different mitigations that has been publicly published such as:
    • Patches
    • Workarounds
    • Yara and Snort Rules

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

More information: Exploitation of Pulse Connect Secure Vulnerabilities


This playbook uses the following sub-playbooks, integrations, and scripts.


  • QRadar Indicator Hunting V2
  • Search Endpoint by CVE - Generic
  • QRadarFullSearch
  • Palo Alto Networks - Hunting And Threat Detection
  • Block Indicators - Generic v3
  • Splunk Indicator Hunting


This playbook does not use any integrations.


This playbook does not use any scripts.


  • splunk-search
  • enrichIndicators
  • extractIndicators
  • expanse-get-issues

Playbook Inputs#

NameDescriptionDefault ValueRequired
Related_HashesThe known hashes of different malware families associated with the exploitation.06c56bd272b19bf7d7207443693cd1fc774408c4ca56744577b11fee550c23f7,64c87520565165ac95b74d6450b3ab8379544933dd3e2f2c4dc9b03a3ec570a7,1322340356018696d853e0ac6f7ce3a2,09956753b5000061524d204000000001,88170125598a4fb801102ad56494a773895059ac8550a983fdd2ef429653f079,9f6ac39707822d243445e30d27b8404466aa69c61119d5308785bf4a464a9ebd,325d6d60e24c7cfc3a782839d85ce08c8d3bb27c,1ab50b77dd9515f6cd9ed07d1d3176ba4627a292dc4a21b16ac9d211353818bd,1741dc0a491fcc8d078220ac9628152668d3370b92a8eae258e34ba28c6473b9,cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68,d72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b,c9b323b9747659eac25cec078895d75f016e26a8b5858567c7fb945b7321722c,2610d0372e0e107053bc001d278ef71f08562e5610691f18b978123c499a74d8,c774eca633136de35c9d2cd339a3b5d29f00f761657ea2aa438de4f33e4bbba4,224b7c45cf6fe4547d3ea66a12c30f3cb4c601b0a80744154697094e73dbd450,78d7c7c9f800f6824f63a99d935a4ad0112f97953d8c100deb29dae24d7da282,1d3ab04e21cfd40aa8d4300a359a09e3b520d39b1496be1e4bc91ae1f6730ecc,133631957d41eed9496ac2774793283ce26f8772de226e7f520d26667b51481a,68743e17f393d1f85ee937dffacc91e081b5f6f43477111ac96aa9d44826e4d2,7fa71a7f76ef63465cfeacf58217e0b66fc71bc81d37c44380a6f572b8a3ec7a,f2b1bd703c3eb05541ff84ec375573cbdc70309ccb82aac04b72db205d718e90,a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1,e63ab6f82c711e4ecc8f5b36046eb7ea216f41eb90158165b82a6c90560ea415,b2350954b9484ae4eac42b95fae6edf7a126169d0b93d79f49d36c5e6497062a,b1c2368773259fbfef425e0bb716be958faa7e74b3282138059f511011d3afd9,b990f79ce80c24625c97810cb8f161eafdcb10f1b8d9d538df4ca9be387c35e4,168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc,4c5555955b2e6dc55f52b0c1a3326f3d07b325b112060329c503b294208960ec,705cda7d1ace8f4adeec5502aa311620b8d6c64046a1aed2ae833e2f2835154fOptional
Related_CVEsThe known CVEs associated with the exploitation.CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, CVE-2021-22893Optional
BlockAutomaticallyWhether to block the indicators automatically.
Default: False.
QRadarWebshellsQueryThe QRadar search query used for "Hunt Activity Using QRadar".
Please note that there aren't specified fields which may cause a longer run time.
select * from events WHERE LogSourceTypeName(deviceType) = 'Pulse Secure Pulse Connect Secure' and ( UTF8(payload) LIKE '%Licenseserverproto.cgi%' or UTF8(payload) LIKE '%Secid_canceltoken.cgi%' or UTF8(payload) LIKE '%compcheckresult.cgi%' or UTF8(payload) LIKE '%Login.cgi%' or UTF8(payload) LIKE '%Healthcheck.cgi%' or UTF8(payload) LIKE '%meeting_testjs.cgi%' or UTF8(payload) LIKE '%compcheckjava.cgi%')Optional
SplunkWebshellsQueryThe Splunk search query used for "Hunt Activity Using Splunk".
Please note that there are two specified fields: msg, message. the query will work for both field names.
index=* sourcetype=pulse:connectsecure "Licenseserverproto.cgi" OR "Secid_canceltoken.cgi" OR "compcheckresult.cgi" OR "Healthcheck.cgi" OR "meeting_testjs.cgi" OR "compcheckjava.cgi"Optional
RunWebshellsQueryIf you would like to skip "Hunt Activity Using Splunk" OR "Hunt Activity Using Qradar" please change the value to 'False'.TrueOptional
QRadar_MD5_FieldThe name of the field for MD5 entries in QRadar.
If not configured, QRadar Indicator Hunting may reach timeout.
QRadar_SHA1_FieldThe name of the field for SHA1 entries in QRadar.
If not configured, QRadar Indicator Hunting may reach timeout.
QRadar_SHA256_FieldThe name of the field for SHA256 entries in QRadar.
If not configured, QRadar Indicator Hunting may reach timeout.
SplunkEarliestTimeThe earliest time for the Splunk search query.-30dOptional
SplunkLatestTimeThe latest time for the Splunk search query.nowOptional
AutoBlockIndicatorBy default, the system does not automatically block indicators. However, it is possible to configure the condition to enable automatic blocking of indicators. This can provide an added layer of security and ensure that potentially harmful indicators are prevented from causing any damage. It is important to carefully consider the potential impact of automatic blocking before enabling this feature, as it may lead to legitimate indicators being blocked.TrueOptional
UserVerificationIn order for the playbook to proceed, it is necessary for users to validate the relevant indicators in accordance with the provided settings. Default: FalseFalseOptional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

CVE-2021-22893 - Pulse Connect Secure RCE