Pulse Secure, which was acquired by Ivanti in late 2020, has released news of a new vulnerability and three previously patched vulnerabilities are being exploited on their Pulse Connect Secure (PCS) appliances. The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published an alert on April 20 indicating they are aware of compromises affecting U.S. government agencies, critical infrastructure entities and other private sector organizations by cyber threat actors in certain Ivanti Pulse Connect Secure products. This threat has been rated by federal officials as the highest possible severity (10/10).

CISA strongly encourages organizations using Ivanti Pulse Connect Secure appliances to immediately run the Ivanti provided Pulse Secure Connect Integrity Tool and update to the latest software. The Ivanti provided mitigation tools are available through the company’s knowledge base at: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755

In addition, the U.S. Department of Health and Human Services (HHS) Assistant Secretary for Preparedness and Response (ASPR) TRACIE and the Health Sector Cybersecurity Coordination Center (HC3) also issued alerts to the health sector indicating the need for impacted organizations to respond to this ongoing exploitation. HHS ASPR TRACIE also urged providers to follow the CISA mitigation tactics, including:

• Running the Ivanti Integrity Checker Tool: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755
• Updating their Pulse Connect Secure appliance to the latest software version: https://blog.pulsesecure.net/
• Implementing the mitigation provided by Ivanti Pulse Secure if evidence of compromise is found: https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/SA44784/s