What is the CVSS score of CVE-2019-11510?

CVE-2019-11510 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 94.4%.

Is there a public PoC exploit available for CVE-2019-11510?

Yes, a public proof-of-concept exploit is available for CVE-2019-11510. Prioritise patching immediately. EPSS: 94.4%.

How to fix or mitigate CVE-2019-11510?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Review file handling controls and restrict upload directories.

CVE-2019-11510

CRITICAL

Path Traversal (CWE-22)

2019-05-08 cve@mitre.org

10.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 26, 2026 - 11:19 vuln.today

Added to CISA KEV

Dec 18, 2025 - 02:00 cisa

CISA KEV

PoC Detected

Dec 18, 2025 - 02:00 vuln.today

Public exploit code

Patch released

Dec 18, 2025 - 02:00 nvd

Patch available

CVE Published

May 08, 2019 - 17:29 nvd

CRITICAL 10.0

DescriptionNVD

In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .

AnalysisAI

Pulse Secure Pulse Connect Secure contains a pre-authentication arbitrary file reading vulnerability that allows unauthenticated remote attackers to read any file from the VPN appliance, including cached credentials and session tokens.

Technical ContextAI

The CWE-22 path traversal vulnerability allows unauthenticated requests to read arbitrary files by sending a crafted URI to the VPN web interface. Critical files exposed include /etc/passwd, /etc/shadow (encrypted), and most importantly the session database containing cached AD credentials in plaintext and active VPN session cookies.

Affected ProductsAI

Pulse Secure Pulse Connect Secure 8.2 before 8.2R12.1 Pulse Secure PCS 8.3 before 8.3R7.1 Pulse Secure PCS 9.0 before 9.0R3.4

RemediationAI

Patch immediately. After patching, rotate ALL Active Directory credentials that were cached on the VPN appliance. Revoke all active VPN sessions. Enable MFA for VPN access. Review authentication logs for unauthorized access using stolen credentials.

CVE-2019-11510 vulnerability details – vuln.today

Back

CVE-2019-11510

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code