Knowledge Search


[SRX] Pulse Secure client privilege escalation issue (CVE-2016-2408)

  [TSB16966] Show Article Properties

Alert Type:
PSN - Product Support Notification
Product Affected:
Pulse Secure client for Windows
Alert Description:
The SRX dynamic VPN feature works in conjunction with the Pulse Secure VPN client, simplifying remote access Internet Protocol Security (IPsec) VPN tunnels.

Pulse Secure LLC, recently issued security advisory SA40241 (CVE-2016-2408) for Pulse Secure products.  Item #1 of the Security Advisory, relating to Pulse Secure (Windows) Desktop clients, is the only area of relevance relating to SRX VPN connections.

By exploiting this client side vulnerability, a restricted user on a Windows endpoint machine can obtain administrative privilege.  This is a client-side exploit only and does not affect the SRX devices or IPsec connections to SRX devices.

SRX customers using Pulse Secure (Windows) Desktop client with versions below 5.1R9.1 are recommended to upgrade client software to 5.1R9.1.
Note: Macintosh image is provided below, however the exploit is not known to impact Macintosh systems
To verify Windows based Pulse Secure client version in use:
  • Right click Pulse icon in task bar
  • Select Open Pulse / Open Pulse Secure
  • Click Help tab
  • Click on About

Windows 32bit installer Windows 64bit installer

Pulse Secure 5.1R9.1 Release Notes

Pulse Secure Supported Platforms Guide
Related Links: