VPN Patch Released For 24 Federal Agencies

WASHINGTON: Pulse Connect Secure today released a security patch for its virtual private network (VPN) product that is widely used by federal agencies, critical infrastructure operators, and the defense industrial base. The VPN allows the federal workforce to access enterprise networks from remote locations.

Ivanti, the parent company of the VPN developer, said it worked with CISA and other entities to address the zero-day vulnerability originally disclosed just weeks ago. This vulnerability is one of four that are being actively exploited in the wild. The other three vulnerabilities have been known since at least last year and have patches currently available.

The news comes as CISA confirmed Friday it’s investigating possible breaches at five federal agencies, all in connection with Pulse Connect Secure vulnerabilities. We don’t know which agencies are affected or the severity of any potential breaches.

CISA has said 24 federal agencies use Pulse Connect Secure.

The Pulse Connect Secure team wrote in a blog post that, since the recently discovered vulnerability’s disclosure, it has “investigate[d] and respond[ed] quickly to malicious activity that was identified on a very limited number of customer systems.”

This included releasing a free online tool called Pulse Security Integrity Checker, which can be used to identify vulnerable systems. Two weeks ago, CISA issued an activity alert and emergency directive instructing all federal agencies to use the tool and report results back to CISA by April 23. Based on that information, CISA discovered evidence of the five potential agency breaches.

CISA has said the US government has not attributed the campaign yet.

This cyber campaign targeting agencies, critical infrastructure operators, and private companies is the third such disclosed over the past five months, to include the SolarWinds and Microsoft Exchange campaigns.