Security News > 2021 > May > Pulse Secure VPNs Get a Fix for Critical Zero-Day Bugs

Pulse Secure has rushed a fix for a critical zero-day security vulnerability in its Connect Secure VPN devices, which has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe.

Pulse Secure also patched three other security bugs, two of them also critical RCE vulnerabilities.

It's related to multiple use-after-free problems in Pulse Connect Secure before version 9.1R11.4, according to the advisory issued Tuesday, and "Allows a remote unauthenticated attacker to execute arbitrary code via license server web services." It can be exploited without any user interaction.

Threatpost has reached out to Pulse Secure to find out whether these bugs are also being actively exploited in the wild.

CVE-2021-22899: A command-injection bug in Pulse Connect Secure before 9.1R11.4 allows remote authenticated users to perform RCE via Windows File Resource Profiles.

April: The Department of Homeland Security urged companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, because in many cases, attackers have already exploited CVE-2019-11510 to hoover up victims' credentials - and now are using those credentials to move laterally through organizations, DHS warned.

News URL

https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/