Undefined Undefined / Getty Images
Organizations using Pulse Secure’s mobile VPN should patch vulnerabilities reportedly being exploited in the wild, possibly by a “Chinese espionage actor”.
The patch–available here–is considered important enough that the Cybersecurity and Infrastructure Security Agency (CISA) gave federal agencies a deadline of April 23 to apply them.
CISA’s guidance states that federal users of Pulse Connect Secure VPNs must use the company’s free utility to ascertain whether their devices are vulnerable.
If the vulnerability is found, affected government Pulse Secure software and appliances have to be immediately isolated from the network and a full report has to be made. In addition to the vulnerability detection tool, Pulse Secure has issued a replacement XML configuration file, which prevents the exploits from functioning when placed on affected devices.