Pulse Connect Secure remote access vulnerability

The vulnerability is present in the 9.0R3 and later versions of Pulse Connect Secure. The vulnerability enables attackers to execute an arbitrary malware code on the Pulse Connect Secure gateway. While no patches for the vulnerability have yet been made available, Pulse Secure has published instructions for mitigating it on its website. 

The vulnerability, which is known as CVE-2021-22893, has been rated CVSS 10.0 (critical) in severity.

We recommend that users of the Pulse Secure VPN check it for signs of a breach. This should be done using the integrity tool provided by Ivanti Product Systems (parent company of Pulse Secure), which finds any additional or modified files. If such files are found, a breach has likely taken place. The tool can be downloaded from the Pulse Secure website (External link).

If there is reason to believe that a data breach has taken place, it must be investigated immediately. Webshell backdoors have been placed on breached Pulse Secure VPN appliances. Signs of the backdoors may be found by examining the log data of the Pulse Secure VPN appliance’s web server, particularly for suspicious HTTP POST traffic. We also recommend that users check new or modified files in the /webserver/htdocs/dana-na/ directory of the Pulse Secure VPN appliance's web server and its subdirectories for malicious content.

Please notify (External link) the National Cyber Security Centre Finland of all observations related to the vulnerability.