Critical Patch Out for Critical Pulse Secure VPN 0-Day Under Attack

Cyber Security

Ivanti, the company behind Pulse Secure VPN appliances, has released a security patch to remediate a critical security vulnerability that was found being actively exploited in the wild by at least two different threat actors.

Tracked as CVE-2021-22893 (CVSS score 10), the flaw concerns “multiple use after free” issues in Pulse Connect Secure that could allow a remote unauthenticated attacker to execute arbitrary code and take control of the affected system. All Pulse Connect Secure versions prior to 9.1R11.4 are impacted.

The flaw came to light on April 20 after FireEye disclosed a series of intrusions targeting defense, government, and financial organizations in the U.S. and elsewhere by leveraging critical vulnerabilities in the remote access solution to bypass multi-factor authentication protections and breach enterprise networks.

The development promoted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an Emergency Directive urging federal agencies and civilian departments to mitigate any anomalous activity or active exploitation detected on their networks.

Following an investigation conducted in conjunction with FireEye Mandiant, Ivanti said the attacks were observed on a “very limited number” of customer systems. FireEye is tracking the activity under two separate clusters UNC2630 and UNC2717 citing differences in the malicious web shells that were dropped on the compromised devices.

“As sophisticated threat actors continue their attacks on U.S. businesses and government agencies, we will continue to work with our customers, the broader security industry, law enforcement and government agencies to mitigate these threats,” the Utah-based software firm said.

“Companywide we are making significant investments to enhance our overall cybersecurity posture, including a more broad implementation of secure application development standards.”

Pulse Secure customers are advised to move quickly to apply the update to ensure they are protected. The company has also released a Pulse Connect Secure Integrity Tool to check for signs of compromise and identify malicious activity on their systems.