CVE-2021-22938: 
Ivanti Connect Secure vulnerability analysis and mitigation

CVE-2021-22938 is a command injection vulnerability discovered in Pulse Connect Secure versions before 9.1R12. The vulnerability was disclosed on August 16, 2021, affecting the administrator web console of the Pulse Connect Secure VPN solution. This security flaw allows an authenticated administrator to perform command injection through an unsanitized web parameter in the administrator web console (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, and a CVSS v2.0 Base Score of 6.5 (MEDIUM). The vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command Injection). The issue stems from insufficient input validation of web parameters in the administrator console, allowing command injection attacks (NVD).

If successfully exploited, this vulnerability could allow an authenticated administrator to execute arbitrary commands on the affected system through the administrator web console. The high CVSS score indicates that successful exploitation could lead to a complete compromise of the system's confidentiality, integrity, and availability (NVD).

The primary mitigation for this vulnerability is to upgrade to Pulse Connect Secure version 9.1R12 or later. Organizations should prioritize this update due to the high severity rating and the potential impact of exploitation (CERT-FR).