Security News > 2020 > April > DHS Urges Pulse Secure VPN Users To Update Passwords
The Department of Homeland Security is urging companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, after several cyberattacks targeted companies who had previously patched a related flaw in the VPN. DHS warns that the Pulse Secure VPN patches may have come too late.
"CISA strongly urges organizations that have not yet done so to upgrade their Pulse Secure VPN to the corresponding patches for CVE-2019-11510," according to CISA's alert.
The flaw exists in Pulse Connect Secure, Pulse Secure's SSL VPN platform used by various enterprises and organizations.
One such vulnerable organization was Travelex, which took several months to patch critical vulnerabilities in its seven Pulse Secure VPN servers, according to Bad Packets.
Various other cybercriminals have targeted the Pulse Secure VPN flaw to compromise organizations, such as Iranian state sponsored hackers who leveraged the flaw to conduct cyber-espionage campaigns against dozens of companies in Israel.
News URL
https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-05-08 | CVE-2019-11510 | Path Traversal vulnerability in Ivanti Connect Secure 8.2/8.3/9.0 In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability . | 10.0 |