Pulse Connect Secure Product Vulnerabilities and Mitigations

CISA issued Emergency Directive 21-03, Mitigate Pulse Connect Secure Product Vulnerabilities. The Directive requires federal civilian agencies using Pulse Connect Secure products to install and run the Pulse Connect Secure Integrity Tool for the specified period of time, take specific actions if any abnormal activity is detected, and ensure all product updates and security advisories are installed. Given the current exploitation, prevalence of the affected software in the federal enterprise and other factors, CISA has determined that these vulnerabilities pose an unacceptable risk that warrants emergency action to protect the federal networks. CISA also published Activity Alert (AA21-110a) with further technical details on cyber threat actor or actors exploiting Pulse Connect Secure and recommended mitigations.

CISA is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by a cyber threat actor—or actors—beginning in June 2020 or earlier. Since March 31, 2021, CISA has been assisting multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor.

Emergency Directive and Updates

• CISA Emergency Directive 21-03
  • On April 20, 2021 CISA has determined that this exploitation of Pulse Connect Secure products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of these vulnerabilities by threat actors in external network environments, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise.

Press Releases

• CISA Press Release: CISA Encourages All Organizations to Take Steps to Protect their Networks
  • This press release announces the CISA Emergency Directive 21-03 in response to the exploitation of vulnerabilities affecting Pulse Connect Secure (PCS) software. The Directive requires federal civilian agencies using Pulse Connect Secure products to install and run the Pulse Connect Secure Integrity Tool for the specified period of time, take specific actions if any abnormal activity is detected, and ensure all product updates and security advisories are installed.

Alerts and Guidance

• On May 27, CISA updated Alert AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities to include newly observed threat actor techniques, tactics, and procedures (TTPs), indicators of compromise (IOCs), and updated mitigations
• On May 3, CISA updated AA21-110A to include new Ivanti Security Advisory SA44784 addressing CVE-2021-22893 and three additional newly disclosed CVEs—CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900.
• CISA has issued Emergency Directive (ED) 21-03, as well as Alert AA21-110A, to address the exploitation of vulnerabilities affecting Pulse Connect Secure (PCS) software. An attacker could exploit these vulnerabilities to gain persistent system access and take control of the enterprise network operating the vulnerable PCS device. These vulnerabilities are being exploited in the wild.
• CISA is aware of ongoing exploitation of Ivanti Pulse Connect Secure vulnerabilities compromising U.S. government agencies, critical infrastructure entities, and private sector organizations, and in response released Alert AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities to offer technical details regarding this activity. CISA strongly encourages organizations using Ivanti Pulse Connect Secure appliances to follow the guidance in Alert AA21-110A, which includes:
  • Running the Ivanti Integrity Checker Tool
  • Updating their Pulse Connect Secure appliance to the latest software version
  • Implementing the mitigation provided by Ivanti Pulse Secure (if evidence of comprise is found)