Security News > 2020 > April > Patching Pulse Secure VPN Not Enough to Keep Attackers Out, CISA Warns
Patching vulnerable enterprise VPNs from Pulse Secure is not enough to keep out malicious actors who have already exploited a vulnerability, the U.S. Cybersecurity and Infrastructure Security Agency warns.
In August last year, Pulse Secure said that a majority of customers had installed the fixes released in April, but CISA now says that patching alone might not be enough to ensure the security of affected systems.
In an update to an alert issued in January 2020, CISA says that the attackers might still have access to enterprise networks that were previously compromised via the Pulse Secure vulnerability, if administrators did not change credentials after applying the available patches.
"Although Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA has observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance," the agency says.
"CISA strongly urges organizations that have not yet done so to upgrade their Pulse Secure VPN to the corresponding patches for CVE-2019-11510. If-after applying the detection measures in this alert-organizations detect evidence of CVE-2019-11510 exploitation, CISA recommends changing passwords for all Active Directory accounts, including administrators and services accounts," CISA concludes.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-05-08 | CVE-2019-11510 | Path Traversal vulnerability in Ivanti Connect Secure 8.2/8.3/9.0 In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability . | 10.0 |