The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive (ED) 21-03 today requiring federal civilian departments and agencies running Pulse Connect Secure products to assess and mitigate any anomalous activity or active exploitation detected on their networks. All affected agencies are required to use the Pulse Connect Secure Integrity Tool to check the integrity of their file systems, and if mismatches or new files are found, they must take mitigation actions and contact CISA for potential incident response activities.
The directive is in response to observed active exploitation using disclosed vulnerabilities in Pulse Connect Secure products. Successful exploitation of these vulnerabilities allows an attacker to gain persistent system access and control of the enterprise network operating the vulnerable Pulse Connect Secure appliance.
“Over the last year, CISA has issued several alerts urging agencies, governments and organizations to assess and patch Pulse Connect Secure vulnerabilities,” said Acting CISA Director Brandon Wales. “This Emergency Directive reflects the seriousness of these vulnerabilities and the importance for all organizations – in government and the private sector – to take appropriate mitigation steps.”
ED 21-03 reflects CISA’s determination to require emergency action for exploitations that pose an unacceptable risk to the federal civilian executive branch agencies.
To encourage public and private sector organizations to take similar steps, CISA also issued an activity alert that provides additional technical details on how to assess their networks and mitigate the vulnerabilities in Pulse Connect Secure products.