This determination is based on the current exploitation of these vulnerabilities by threat actors in external network environments, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise.ĬISA has published Activity Alert AA21-110A ( ) providing further details and resources. CISA has no knowledge of other affected Pulse Secure products (including the Pulse Secure Access client).ĬISA has determined that this exploitation of Pulse Connect Secure products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. Successful exploitation of these vulnerabilities could allow an attacker to place webshells on the appliance to gain persistent system access into the appliance operating the vulnerable software. § 3553(d), (e)(2), (e)(3), (h)(1)(B).ĬISA has observed active exploitation of vulnerabilities in Pulse Connect Secure products, a widely used SSL remote access solution. These directives do not apply to statutorily-defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. § 655(3).įederal agencies are required to comply with these directives. Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C.
This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 21-03, “Mitigate Pulse Connect Secure Product Vulnerabilities”. ApMitigate Pulse Connect Secure Product Vulnerabilities