Threat actors are leveraging a zero-day vulnerability in Pulse Connect Secure (PCS), for which there is no immediate patch scheduled for release. Attackers also appear to be leveraging three previously known and patched vulnerabilities in PCS from 2019 and 2020. Please find below a comment from Scott Caveza, Research Engineering Manager, Tenable and a full analysis from Tenable here.
“CVE-2021-22893 is a critical authentication bypass zero-day vulnerability that gives attackers an entry point into Pulse Connect Secure (PCS) SSL VPN appliances. In addition to CVE-2021-22893, attackers also appear to be leveraging three previously known and patched vulnerabilities in PCS from 2019 and 2020: CVE-2019-11510, CVE-2020-8243 and CVE-2020-8260. CVE-2019-11510, which has been exploited in the wild since details became public in August 2019, was one of the Top 5 vulnerabilities in Tenable’s 2020 Threat Landscape Retrospective report because of its ease of exploitation and widespread exploitation.
“Because it is a zero-day and the timetable for the release of a patch is not yet known, CVE-2021-22893 gives attackers a valuable tool to gain entry into a key resource used by many organizations, especially in the wake of the shift to the remote workforce over the last year. Attackers can utilize this flaw to further compromise the PCS device, implant backdoors and compromise credentials. While Pulse Secure has noted that the zero-day has seen limited use in targeted attacks, it’s just a matter of time before a proof-of-concept becomes publicly available, which we anticipate will lead to widespread exploitation, as we observed with CVE-2019-11510.” — Scott Caveza, Research Engineering Manager, Tenable