Pulse Secure has patched a critical zero-day vulnerability that was being exploited by multiple APT groups to target US defense companies, among other entities.
The security update fixes CVE-2021-22893, a critical authentication bypass vulnerability in the Pulse Connect Secure VPN product which has a CVSS score of 10.0.
It was being exploited in combination with bugs from 2019 and 2020, patched by the vendor but not applied by some organizations, to bypass multi-factor authentication on the product. This allowed attackers to deploy webshells for persistence and perform surveillance activities.
Mandiant said at the time that it had tracked 12 malware families to the exploitation of the vulnerability, and at least one state-sponsored attack group, APT5.
Reports of these attacks first started to appear around two weeks ago, with both the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) issuing warnings to organizations.
Phil Richards, CSO or Pulse Secure’s parent company Ivanti, argued that the firm was making “significant investments” to improve its security posture, including enhancements to its application development processes.
“The Pulse Secure team has worked closely with CISA as well as leading forensic experts and industry groups, including Mandiant/FireEye and Stroz Friedberg, among others, to investigate and respond quickly to malicious activity that was identified on a very limited number of customer systems,” he added.
“The Pulse team took swift action to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system, and we are pleased to be able to deliver a security patch in such short order to address the vulnerability.”
Richards also encouraged Pulse Secure customers to take advantage of an integrity checker tool to see if they’ve been impacted by the threat.