Blog

Pulse Connect Secure Product Vulnerabilities and Mitigations

Released

CISA issued Emergency Directive 21-03, Mitigate Pulse Connect Secure Product Vulnerabilities. The Directive requires federal civilian agencies using Pulse Connect Secure products to install and run the Pulse Connect Secure Integrity Tool for the specified period of time, take specific actions if any abnormal activity is detected, and ensure all product updates and security advisories are installed. Given the current exploitation, prevalence of the affected software in the federal enterprise and other factors, CISA has determined that these vulnerabilities pose an unacceptable risk that warrants emergency action to protect the federal networks. CISA also published Activity Alert (AA21-110a) with further technical details on cyber threat actor or actors exploiting Pulse Connect Secure and recommended mitigations.

CISA is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by a cyber threat actor—or actors—beginning in June 2020 or earlier. Since March 31, 2021, CISA has been assisting multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor.

Emergency Directive and Updates

 

  • CISA Emergency Directive 21-03
    • On April 20, 2021 CISA has determined that this exploitation of Pulse Connect Secure products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of these vulnerabilities by threat actors in external network environments, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise.

 

Press Releases

  • CISA Press Release: CISA Encourages All Organizations to Take Steps to Protect their Networks
    • This press release announces the CISA Emergency Directive 21-03 in response to the exploitation of vulnerabilities affecting Pulse Connect Secure (PCS) software. The Directive requires federal civilian agencies using Pulse Connect Secure products to install and run the Pulse Connect Secure Integrity Tool for the specified period of time, take specific actions if any abnormal activity is detected, and ensure all product updates and security advisories are installed.

 

Alerts and Guidance