Security News > 2021 > August > Pulse Secure VPNs Get New Urgent Update for Poorly Patched Critical Flaw

Pulse Secure has shipped a fix for a critical post-authentication remote code execution vulnerability in its Connect Secure virtual private network appliances to address an incomplete patch for an actively exploited flaw it previously resolved in October 2020.

"The Pulse Connect Secure appliance suffers from an uncontrolled archive extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in Remote Code Execution as root," NCC Group's Richard Warren disclosed on Friday.

The disclosure comes days after Ivanti, the company behind Pulse Secure, published an advisory for as many as six security vulnerabilities on August 2, urging customers to move quickly to update to Pulse Connect Secure version 9.1R12 to secure against any exploitation attempts targeting the flaws.

Tracked as CVE-2021-22937, the shortcoming could "Allow an authenticated administrator to perform a file write via a maliciously crafted archive uploaded in the administrator web interface," according to Pulse Secure.

It's worth noting that CVE-2020-8260 was one among the four Pulse Secure flaws that was actively exploited by threat actors earlier this April to stage a series of intrusions targeting defense, government, and financial entities in the U.S. and beyond in a bid to circumvent multi-factor authentication protections and breach enterprise networks.

Given the possibility of real-world exploitation, it's highly recommended to upgrade to Pulse Connect Secure 9.1R12, or later.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/pAt4zMSVrsI/pulse-secure-vpns-get-new-urgent-update.html