HC3 TLP White Analyst Note: Active Exploitation of Pulse Secure Zero-Day Vulnerabilities by Multiple Threat Actors

VPN provider Ivanti Pulse Secure has released mitigations for multiple actively exploited vulnerabilities affecting the Pulse Connect Secure (PCS) SSL VPN appliance, including a new vulnerability tracked as CVE-2021-22893. Because multiple state-sponsored threat actors have been observed exploiting this vulnerability in the wild, the newly discovered vulnerability has been assigned the highest possible severity rating (10/10). Pulse Secure has released mitigations and plans to release a security update in early May. Although Pulse Secure has stated only a small number of customers were the subject of active exploitation of these vulnerabilities, both Pulse Secure and CISA recommend that customers use the recently released Ivanti Pulse Connect Secure Integrity Tool to determine if any systems are impacted. Currently, there is no evidence that these attacks have introduced any backdoors or supply chain compromise. While no Healthcare and Public Health (HPH) Sector entities have been publicly identified as victims, HPH organizations using PCS should act to mitigate these vulnerabilities.