A major flaw in Pulse Connect Secure VPN, which allowed cybercriminals to compromise the internal networks of certain US government agencies and other targets, has now been remedied.
The zero-day, first spotted by cybersecurity experts at FireEye and logged as CVE-2021-22893, is currently being exploited in the wild, so all customers are urged to apply the new patch immediately.
FireEye said criminals were using the zero-day to install malware on Pulse Secure devices, steal login credentials and create a backdoor to the compromised networks.
Besides the patch, Pulse Secure also released a checker tool, called Pulse Connect Secure Integrity Tool, which helps organizations see if any files were tampered with. The company said it would be wise to use the tool before deploying the patch.
“The Pulse team took swift action to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system, and we are pleased to be able to deliver a security patch in such short order to address the vulnerability,” said a company spokesperson in a statement.
Businesses using the Pulse Connect Secure 9.0RX & 9.1RX are urged to apply the patch immediately, and update to version 9.1R11.4. The company also warned that upgrading from Pulse Connect versions before 9.1R8.x could result in problems with the browser VPN due to an expired certificate.