Ivanti has discovered three new Pulse Connect Secure (PCS) Critical vulnerabilities nearly two weeks after DHS reported active exploits against other PCS vulnerabilities.
In the latest advisory published May 3, Ivanti added three new security updates for Critical vulnerabilities CVE-2021-22894, CVE-2021-22899 and CVE-2021-22900. In addition, an update for previously disclosed CVE-2021-22893 was also included. Cyber experts have warned the latter has known active exploits in the wild.
To mitigate these vulnerabilities, users will need to upgrade the Pulse Connect Secure server software version to the 9.1R.11.4.
Just a few days ago, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) warned attackers continue to exploit Pulse Connect Secure vulnerabilities, to include CVE-2021-22893, CVE-2019-11510, CVE-2020-8260, and CVE-2020-8243.
Moreover, the alert was issued after CISA confirmed malicious activity on public and private entity networks on vulnerable Pulse Connect Secure appliances. Additional detection methods were also added on April 30.
Since March 31, 2021, CISA assisted multiple entities whose vulnerable Pulse Connect Secure products had been exploited by a cyber threat actor. These entities confirmed the malicious activity after running the Pulse Secure Connect Integrity Tool.