Input validation error in Pulse Connect Secure

Published: 2018-05-10 | Updated: 2020-08-08
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2018-9849
Exploitation vector Network
Public exploit N/A
Vulnerable software
Pulse Connect Secure
Server applications / Remote access servers, VPN

Vendor Pulse Secure

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Input validation error

EUVDB-ID: #VU37141

Risk: Medium


CVE-ID: CVE-2018-9849


Exploit availability:


The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

Pulse Secure Pulse Connect Secure 8.1.x before 8.1R14, 8.2.x before 8.2R11, and 8.3.x before 8.3R5 do not properly process nested XML entities, which allows remote attackers to cause a denial of service (memory consumption and memory errors) via a crafted XML document.


Install update from vendor's website.

Vulnerable software versions

Pulse Connect Secure: 8.3 - 8.3R4

Fixed software versions

CPE2.3 External links

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?