CVE-2019-11510 Explained: Pulse Secure VPN Arbitrary File Read and Credential Theft
A CVSS 10.0 pre-authentication arbitrary file read in Pulse Secure VPN appliances. Cached credentials extracted from thousands of government and enterprise VPN gateways and sold on criminal forums years later.

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2019-11510 is a pre-authentication arbitrary file read vulnerability in Pulse Connect Secure SSL VPN appliances. Disclosed in August 2019, it scores a perfect 10.0 on the CVSS v3 scale. An unauthenticated attacker who can reach the VPN's HTTPS management or user portal can craft a URL that causes the device to serve arbitrary files from its filesystem, including its sensitive configuration database containing cached user credentials.
The vulnerability was immediately weaponized. Credentials extracted from thousands of enterprise and government VPN gateways were publicly posted, sold on criminal forums, and incorporated into nation-state offensive toolkits. CISA issued multiple advisories. Despite this, exploitation remained active for years, because many organizations were unaware they were running vulnerable firmware, and because some organizations patched but failed to rotate the credentials that had already been stolen.
How CVE-2019-11510 Works: URL Traversal to Credential Database
The vulnerability is a path traversal flaw in the Pulse Connect Secure web server's URL handling. Certain URL paths intended for internal use do not enforce authentication checks. By manipulating the URL path with traversal sequences, an unauthenticated attacker can force the VPN appliance to read and return arbitrary files from the underlying filesystem.
The most impactful file accessible via CVE-2019-11510 is the session cache file, which stores session tokens, VPN configuration data, and, critically, cached plaintext or easily reversible credentials for Active Directory accounts that have authenticated through the VPN.
A single HTTP request to a crafted URL on a vulnerable Pulse Secure appliance returns the configuration database. Automated tools published within days of disclosure could scan the entire internet-facing Pulse Secure population and extract credentials in bulk. By the time most organizations became aware of the advisory, their credentials had already been extracted.
Affected products and versions include Pulse Connect Secure 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4. Pulse Policy Secure is also affected. The web administration portal and the user VPN portal are both vulnerable.
Identify exposed Pulse Secure appliances
Scan internet-facing infrastructure for Pulse Secure VPN portals. The login page is distinctive and widely indexed by Shodan and Censys. Automated scanners identified over 14,500 exposed appliances within days of public disclosure.
Send path traversal request
Craft an unauthenticated HTTP GET request to a URL with a path traversal sequence targeting the session cache or configuration file. No session cookie, authentication token, or prior interaction is required.
Receive credential database
The VPN appliance returns the requested file in the HTTP response body. The session cache contains session tokens, plaintext passwords for local accounts, and cached Windows domain credentials.
Extract and crack credentials
Parse the returned database for usernames, passwords, and domain credentials. Many stored credentials are in recoverable formats. Domain credentials can be used for Active Directory authentication, VPN access, and email.
Use credentials for access
Use extracted VPN credentials to authenticate to the VPN as legitimate users, gaining internal network access. Use domain credentials for lateral movement, email access, and secondary target identification.
Long-Tail Exploitation: Why CVE-2019-11510 Kept Working for Years
CVE-2019-11510 demonstrates a distinctive exploitation pattern: initial mass credential extraction followed by long-tail exploitation of those credentials years after the vulnerability was patched.
In August 2020, a full year after disclosure, CISA Advisory AA20-010A warned that credentials extracted via CVE-2019-11510 were still being actively used to compromise targets. Organizations that had patched the VPN firmware but not rotated the credentials that were already stolen remained exposed. The vulnerability was closed; the breach was ongoing.
In 2020, a criminal forum published a list of over 900 enterprise and government Pulse Secure VPN server IP addresses with associated plaintext credentials extracted via CVE-2019-11510. The list included organizations in the healthcare, financial services, and defense sectors, as well as US government agencies.
Nation-state actors attributed to Iran, China, and Russia were all observed exploiting CVE-2019-11510, both during the initial exploitation wave and during the long-tail phase using cached credentials. Ransomware groups, particularly REvil and related affiliates, used extracted credentials as initial access for ransomware deployment campaigns.
“Organizations that have not applied the Pulse Secure VPN patch and rotated all associated credentials should assume they have been compromised and investigate accordingly.”
CISA Advisory AA20-010A, January 2020
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Patching and Remediating CVE-2019-11510
Pulse Secure released patches in April 2019, four months before the public advisory. If you are still running vulnerable firmware, you have been exposed for years. The remediation has three mandatory steps: patch, rotate credentials, and investigate for compromise.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
CVE-2019-11510 is a master class in why patching alone is insufficient when a credential-exposing vulnerability has been exploited at scale. The patch closes the file read. It does not close the Active Directory accounts whose passwords were in that file. It does not invalidate the session tokens that were cached. It does not undo months of access by threat actors who connected with the stolen credentials before the patch was applied.
Organizations that patched CVE-2019-11510 without rotating credentials discovered this the hard way, when ransomware operators used years-old extracted VPN credentials for initial access. The complete remediation is patch plus credential rotation plus compromise investigation. All three. In parallel.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2019-11510 and what does it expose?
CVE-2019-11510 is a CVSS 10.0 pre-authentication path traversal in Pulse Connect Secure VPN appliances. An unauthenticated attacker sends a crafted URL that causes the device to return arbitrary filesystem files, including the session cache containing plaintext Active Directory credentials. Over 14,500 appliances were exposed at peak exploitation. No login is required, a single HTTP request extracts the credential database.
How do I fix CVE-2019-11510?
Upgrade Pulse Connect Secure to 8.2R12.1, 8.3R7.1, 9.0R3.4 or later. Critically, patching alone is insufficient, you must also rotate every credential (domain accounts, local accounts, service accounts) that passed through the VPN, as stolen credentials remain valid indefinitely after patching. Investigate VPN logs for access during the exposure window and implement MFA on all VPN connections.
Why were organizations still breached years after patching CVE-2019-11510?
Patching the file read vulnerability does not invalidate credentials already extracted before patching. Organizations that upgraded the firmware but did not rotate VPN user passwords remained exposed, attackers using credential databases collected during the 2019-2020 exploitation wave could still authenticate with the stolen passwords. CISA warned in January 2020 that credentials extracted before patching were still being actively used for unauthorized access a full year later.
Which threat actors exploited CVE-2019-11510 and what did they target?
Nation-state actors from Iran (Fox Kitten / Phosphorus), China, and Russia were all confirmed exploiting CVE-2019-11510. Iranian actors targeted US government agencies, defense contractors, municipalities, and critical infrastructure for persistent access. Chinese and Russian APT groups also used Pulse Secure access for espionage campaigns. Additionally, ransomware operators used extracted credentials as initial access for ransomware deployment campaigns, with REvil and related affiliates confirmed using Pulse Secure credentials for enterprise ransomware attacks.
How widespread was CVE-2019-11510 exploitation across the internet?
Automated scanners identified over 14,500 internet-exposed Pulse Connect Secure appliances at peak exploitation in 2019. Credentials from hundreds of US government agencies, healthcare organizations, financial institutions, and defense contractors were publicly posted on criminal forums. In August 2020, a post on a criminal forum listed over 900 enterprise and government IP addresses with associated plaintext credentials extracted via CVE-2019-11510. The exposure was internet-scale, not targeted, meaning essentially any organization with an unpatched internet-facing Pulse Secure appliance had their credentials extracted.
Would MFA have prevented the damage from CVE-2019-11510?
Yes, substantially. CVE-2019-11510 steals VPN authentication credentials (usernames and passwords). If MFA is enforced on all VPN connections, stolen credentials alone cannot provide VPN access, an attacker also needs the second factor (TOTP code, push notification, or hardware token). MFA does not prevent the file read from occurring, but it makes the stolen credentials unusable for VPN authentication. CISA's advisory for CVE-2019-11510 specifically recommended implementing MFA as the primary long-term protection against credential-based VPN attacks.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
