Pulse VPN Vulnerability

By William Beard, Jr on August 10, 2021

(By: William Beard on August 10, 2021)

Executive Summary

FireEye and Pulse Secure are currently investigating a new vulnerability in the Pulse Connect Secure Virtual Private Network (VPN), known as CVE-2021-22893. This new vulnerability has been used with some older Pulse Connect Secure VPN vulnerabilities to access government and private company networks.


CVE-2021-22893 allows a remote unauthenticated Advanced Persistent Threat (APT) to use malicious code attacks against the Pulse Connect Secure VPN. This allowed the attackers to harvest legitimate account credentials that they then modified to remain on the networks.  From there, the attackers used trojanized assemblies dubbed SLOWPULSE, webshells known as RADIALPULSE and PULSECHECK, as well as clearing log files using a utility dubbed THINBLOOD.


Very few customers who use the Pulse Connect Secure VPN have been affected by this vulnerability as of now, but the investigation is still ongoing.  The extent of the damage is unknown because the investigation is still in progress. 


It is recommended that networks running the Pulse Connect Secure VPN update to version 9.1R.11.4 and import a workaround to mitigate this vulnerability. Workaround-2104.xml can be downloaded, unzipped, and then imported into the updated version on Pulse Connect Secure VPN.


This vulnerability is relevant because Pulse Connect Secure is a widely used VPN. In the most recent attacks, CVE-2021-22893 was used against the U.S. Defense Industrial Base (DIB) networks. During FireEye’s investigation of the attack, they found similarities between this attack and historic attacks conducted by the Chinese hacking group known as APT5 aka BRONZE FLEETWOOD.


[1] https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html

[2] https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/

[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22893