On Tuesday 20 April, FireEye published information about an actively exploited vulnerability in Pulse Secure VPN . In this message, we want to warn you about the threat and inform you about the possible mitigation steps.
FireEye released information about a vulnerability in Pulse Secure VPN, registered with CVE-2021-22893. The vulnerability has been scored at the maximum value within the CVSS 3.1 framework, namely 10.0. The vulnerability is actively exploited.
The affected software versions are Pulse Connect Secure (PCS) versions 9.0R3 and higher.
By exploiting this vulnerability a threat actor gains remote code execution capabilities on the appliance running Pulse Connect Secure. There are known cases in which attackers gained persistence by installing web shells during their attack. Thus, we estimate the impact as high.
By their nature, most Pulse Connect Secure appliances are publicly accessible. Because no credentials are needed to execute the attack, we estimate the risk as high.
What should you do?
Pulse Secure provides a work around on their website  for some affected systems which prevents abuse of the vulnerability since an actual bug fix is not ready yet. Northwave recommends to apply this workaround. Two features of the appliance will be disabled: Windows File Share Browser and Pulse Secure Collaboration.
Appliances running PCS versions 9.0R1 – 9.0R4.1 or 9.1R1-9.1R2 should be updated before the work around can be applied. The work around is not recommended for license servers. Improving the protection for license servers can be achieved on firewall level, by limiting the possibilities to connect to them.
After applying the work around you should check for earlier compromise, since the vulnerabilities are actively abused. Pulse Secure provides the PCS Integrity Assurance tool  to validate you systems.