Pulse Secure has released a patch for the actively exploited zero-day vulnerability – CVE-2021-22893 – in the Pulse Connect Secure SSL VPN appliance. Last week, FireEye researchers announced they had identified instances where the flaw had been exploited by threat groups, with one of those groups believed to be a Chinese Advanced Persistent Threat actor. Exploitation of the flaw could allow unauthenticated remote attackers to gain access to the appliance via unspecified vectors and execute arbitrary code.
CISA reported last week that the vulnerability – along with three others – was being exploited by threat actors who have been targeting government agencies and defense firms to steal credentials and insert backdoors into systems for persistent access.
An emergency directive was issued instructing all federal agencies to implement mitigations to prevent exploitation within two days to block attacks until a patch was made available and also to use the Pulse Connect Secure Integrity Tool to identify whether any of the vulnerabilities had already been exploited. CISA said last week it is investigating whether five federal agencies that use Pulse Secure appliances have been breached through exploitation of the vulnerabilities.
The vulnerability is present in Pulse Connect Secure 9.0RX and 9.1RX. All organizations that use the Pulse Connect Secure SSL VPN appliance have been advised to apply the patch immediately even if they implemented the suggested mitigations. The flaw has been permanently corrected in Pulse Connect Secure 9.1R11.4.
Pulse Secure advises all organizations to use the Pulse Connect Secure Integrity Tool prior to updating to the latest version to determine whether the flaw has already been exploited.