Critical Patch Out for Critical Pulse Secure VPN 0-Day Under Attack


Ivanti, the company behind Pulse Secure VPN appliances, has released a security patch to remediate a critical security vulnerability that was found being actively exploited in the wild by at least two different threat actors.

Tracked as CVE-2021-22893 (CVSS score 10), the flaw concerns “multiple use after free” issues in Pulse Connect Secure that could allow a remote unauthenticated attacker to execute arbitrary code and take control of the affected system. All Pulse Connect Secure versions prior to 9.1R11.4 are impacted.

The flaw came to light on April 20 after FireEye disclosed a series of intrusions targeting defense, government, and financial organizations in the U.S. and elsewhere by leveraging critical vulnerabilities in the remote access solution to bypass multi-factor authentication protections and breach enterprise networks.

Read more…