Pulse Secure Pulse Connect Secure (PCS) Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) Vulnerability


An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced.




The information has been provided by Vendor

The original article can be found at:https://git.lsd.cat/g/pulse-host-checker-rce



Allows a man-in-the-middle attacker to perform OS command injection attacks (against a client) via shell metacharacters to the doCustomRemediateInstructions method, because Runtime.getRuntime().exec() is used.


Vulnerable Systems:

Pulse Secure Pulse Connect Secure (PCS)


CVE Information:


Disclosure Timeline:
Published Date:4/6/2020

Categories: News