In yet another example of VPN appliance vulnerabilities being actively exploited by threat actors, 20 April 2021 saw the publication  of a critical Pulse Connect Secure (PCS) SSL VPN appliance vulnerability, CVE-2021-22893, allowing an authentication bypass that leads to an unauthenticated threat actor gaining the ability to remotely execute arbitrary code on a PCS gateway.
This critical vulnerability, assigned the maximum CVSS score of 10, has reportedly been observed as an initial infection vector in recent attacks against European and US Defense networks, as well as financial organizations, orchestrated by suspected nation-state sponsored threat actors sharing similarities with historic Chinese-nexus activity.
Likely exploited alongside previous high severity vulnerabilities, CVE-2021-22893 is reported as affecting Pulse Connect Secure versions 9.0R3 and higher with only, as of 20 April 2021, only a workaround available at this time.
Designated as to be fixed in version 9.1R11.4, the original advisory has an 'as yet to be decided' timeline for security updates that are likely to apply to the following product versions:
For reference, given their continued exploitation, previous high severity vulnerabilities potentially used alongside CVE-2021-22893 include:
Given the reported observation of suspected nation-state threat actors exploiting these vulnerabilities in the wild, high-sophistication threat actors may also seek to take advantage of similar tactics to gain access to victim networks.
Specifically, financially-motivated 'big game hunter' ransomware groups have previously exploited similar vulnerabilities in order to gain access to networks within organizations across multiple industries and regions.
As a warning of the risk these vulnerabilities pose, it was widely reported that the Travelex/REvil ransomware incident  in January 2020 commenced with the exploitation of a Pulse Secure VPN vulnerability leading to a near catastrophic outcome for the organization. Having gained initial access, the threat group were able to move laterally within the organization before enacting their 'steal, encrypt and leak' tactics in an attempt to extort millions.
The latest Cyberint news, articles, and research, sent straight to your inbox every month.