Pulse Connect Secure Vulnerabilities Being Actively Exploited, Including New Zero-Day Flaw

At least one threat group is exploiting vulnerabilities in Ivanti’s Pulse Connect Secure products, according to a recent alert from the DHS’ Cybersecurity and Infrastructure Security Agency (CISA). While there has not been an official attribution, the threat actor has been linked to China by some security researchers and targets have included government, defense, financial, and critical infrastructure organizations.

FireEye has been tracking the malicious activity and reports that at least 12 malware families have been involved in cyberattacks exploiting the vulnerabilities since August 2020. These attacks have involved the harvesting of credentials to allow lateral movement within victim networks and the use of scripts and the replacement of files to achieve persistence.

Several entities have now confirmed that they have been attacked after they identified malicious activity using the Pulse Connect Secure Integrity Tool. Access has been gained to Pulse Connect Secure appliance by exploiting multiple vulnerabilities including three vulnerabilities that were disclosed in 2019 and 2020 and one recently disclosed zero-day vulnerability. Patches have been available for several months to fix the first three vulnerabilities – CVE-2019-11510, CVE-2020-8260 and CVE-2020-8243; however, a patch has yet to be released to correct the most recently disclosed zero-day vulnerability – CVE-2021-22893.

The CVE-2021-2893 authentication bypass vulnerability has received the maximum CVSS vulnerability severity score of 10/10. Ivanti published a security advisory about the new vulnerability on April 20, 2021. Exploitation of the flaw allows a remote unauthenticated attacker to execute arbitrary code in the Pulse Connect Secure Gateway. The flaw is believed to be exploitable by sending a specially crafted HTTP request to a vulnerable device, although this has yet to be confirmed by Ivanti. The vulnerability affects Pulse Connect Secure 9.0R3 and higher.

At least one threat group is exploiting the vulnerabilities to place web shells on vulnerable Pulse Secure VPN appliances. The web shells allow the threat actor to bypass authentication and multi-factor authentication controls, log passwords, and gain persistent access to the appliance even after the patches have been applied.

Ivanti and CISA strongly advise all users of the vulnerable Pulse Connect Secure appliances to apply the patches immediately to prevent exploitation and to implement the mitigations recently published by Ivanti to reduce the risk of exploitation of the CVE-2021-22893 vulnerability until a patch is released. The workaround involves deleting two Pulse Connect Secure features – Windows File Share Browser and Pulse Secure Collaboration.

Update: Ivanti has released a patch to correct the zero-day vulnerability – All users of Pulse Connect Secure 9.0RX and 9.1RX have been advised to immediately upgrade to Pulse Connect Secure 9.1R11.4 which permanently fixes the flaw. 

Since patching will not block unauthorized access if the vulnerabilities have already been exploited, CISA strongly recommends using the Pulse Connect Secure Integrity Tool to investigate whether the vulnerabilities have already been exploited.


Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.