Security News > 2021 > May > Pulse Secure Ships Belated Fix for VPN Zero-Day
Embattled VPN technology vendor Pulse Secure on Monday updated an "Out-of-cycle" advisory with patches for four major security vulnerabilities, including belated cover for an issue that's already been exploited by advanced threat actors.
When Pulse Secure released its initial advisory for the bug on April 20, FireEye reported seeing this and three other Pulse Secure VPN appliance vulnerabilities being exploited as an initial access vector by at least two sophisticated threat actors.
The CVE-2021-22893 flaw was the only zero-day - the other three Pulse Secure vulnerabilities believed to have been used in these attacks were patched in 2019 and 2020.
FireEye has identified several new malware families associated with the exploitation of Pulse Secure VPN appliances.
It's not uncommon for threat actors to target vulnerabilities in Pulse Secure products.
Over the past few years, flaws in Pulse Secure VPN appliances have been exploited by both state-sponsored threat actors and profit-driven cybercrime groups.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-04-23 | CVE-2021-22893 | Use After Free vulnerability in Ivanti Connect Secure 9.0/9.1 Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. | 10.0 |