CVE-2020-13162: n/a in n/a
A time-of-check time-of-use vulnerability in PulseSecureService.exe in Pulse Secure Client versions prior to 9.1.6 down to 5.3 R70 for Windows (which runs as NT AUTHORITY/SYSTEM) allows unprivileged users to run a Microsoft Installer executable with elevated privileges.
AI Analysis
Technical Summary
CVE-2020-13162 is a high-severity time-of-check to time-of-use (TOCTOU) vulnerability affecting the Pulse Secure Client software on Windows platforms, specifically versions prior to 9.1.6 down to 5.3 R70. The vulnerable component is PulseSecureService.exe, which runs with NT AUTHORITY/SYSTEM privileges, the highest level of privilege on Windows systems. The flaw allows an unprivileged user to execute a Microsoft Installer (MSI) executable with elevated privileges by exploiting a race condition between the time a security check is performed and the time the resource is used. This TOCTOU vulnerability (classified under CWE-367) enables privilege escalation from a low-privileged user context to SYSTEM-level execution, potentially allowing an attacker to install malicious software, modify system configurations, or gain persistent control over the affected system. The vulnerability does not require user interaction but does require local access (AV:L), and the attack complexity is high (AC:H), meaning exploitation requires specific conditions or timing. The CVSS v3.1 base score is 7.0, reflecting high impact on confidentiality, integrity, and availability due to the SYSTEM-level privileges that can be obtained. No known exploits in the wild have been reported, and no official patches are linked in the provided data, though vendor updates after version 9.1.6 presumably address this issue.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for enterprises using Pulse Secure VPN clients to provide remote access to corporate networks. Successful exploitation could allow an insider or an attacker with limited local access to escalate privileges and compromise endpoint security, leading to unauthorized access to sensitive data, disruption of services, or lateral movement within the network. Given the widespread use of Pulse Secure VPN solutions in sectors such as finance, healthcare, government, and critical infrastructure across Europe, exploitation could result in data breaches, operational downtime, and regulatory non-compliance under GDPR. The SYSTEM-level access gained could also facilitate deployment of ransomware or other malware, amplifying the threat impact. The lack of known public exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.
Mitigation Recommendations
European organizations should prioritize upgrading Pulse Secure Client installations to version 9.1.6 or later, where this vulnerability is addressed. In the absence of immediate patch availability, organizations should restrict local user access on systems running vulnerable versions, enforce strict endpoint security policies, and monitor for suspicious MSI execution activities. Employ application whitelisting to prevent unauthorized MSI installations and use endpoint detection and response (EDR) tools to detect anomalous privilege escalation attempts. Network segmentation should be enforced to limit the impact of compromised endpoints. Additionally, organizations should conduct regular audits of installed software versions and ensure that VPN clients are updated promptly. User training to recognize potential local attack vectors and enforcing the principle of least privilege for local accounts can further reduce risk.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Belgium, Sweden, Poland, Switzerland
CVE-2020-13162: n/a in n/a
Description
A time-of-check time-of-use vulnerability in PulseSecureService.exe in Pulse Secure Client versions prior to 9.1.6 down to 5.3 R70 for Windows (which runs as NT AUTHORITY/SYSTEM) allows unprivileged users to run a Microsoft Installer executable with elevated privileges.
AI-Powered Analysis
Technical Analysis
CVE-2020-13162 is a high-severity time-of-check to time-of-use (TOCTOU) vulnerability affecting the Pulse Secure Client software on Windows platforms, specifically versions prior to 9.1.6 down to 5.3 R70. The vulnerable component is PulseSecureService.exe, which runs with NT AUTHORITY/SYSTEM privileges, the highest level of privilege on Windows systems. The flaw allows an unprivileged user to execute a Microsoft Installer (MSI) executable with elevated privileges by exploiting a race condition between the time a security check is performed and the time the resource is used. This TOCTOU vulnerability (classified under CWE-367) enables privilege escalation from a low-privileged user context to SYSTEM-level execution, potentially allowing an attacker to install malicious software, modify system configurations, or gain persistent control over the affected system. The vulnerability does not require user interaction but does require local access (AV:L), and the attack complexity is high (AC:H), meaning exploitation requires specific conditions or timing. The CVSS v3.1 base score is 7.0, reflecting high impact on confidentiality, integrity, and availability due to the SYSTEM-level privileges that can be obtained. No known exploits in the wild have been reported, and no official patches are linked in the provided data, though vendor updates after version 9.1.6 presumably address this issue.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for enterprises using Pulse Secure VPN clients to provide remote access to corporate networks. Successful exploitation could allow an insider or an attacker with limited local access to escalate privileges and compromise endpoint security, leading to unauthorized access to sensitive data, disruption of services, or lateral movement within the network. Given the widespread use of Pulse Secure VPN solutions in sectors such as finance, healthcare, government, and critical infrastructure across Europe, exploitation could result in data breaches, operational downtime, and regulatory non-compliance under GDPR. The SYSTEM-level access gained could also facilitate deployment of ransomware or other malware, amplifying the threat impact. The lack of known public exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.
Mitigation Recommendations
European organizations should prioritize upgrading Pulse Secure Client installations to version 9.1.6 or later, where this vulnerability is addressed. In the absence of immediate patch availability, organizations should restrict local user access on systems running vulnerable versions, enforce strict endpoint security policies, and monitor for suspicious MSI execution activities. Employ application whitelisting to prevent unauthorized MSI installations and use endpoint detection and response (EDR) tools to detect anomalous privilege escalation attempts. Network segmentation should be enforced to limit the impact of compromised endpoints. Additionally, organizations should conduct regular audits of installed software versions and ensure that VPN clients are updated promptly. User training to recognize potential local attack vectors and enforcing the principle of least privilege for local accounts can further reduce risk.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2020-05-19T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d981dc4522896dcbdb16d
Added to database: 5/21/2025, 9:08:45 AM
Last enriched: 7/3/2025, 9:56:00 AM
Last updated: 8/16/2025, 7:55:41 PM
Views: 13
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.