CISA Issues Deadline for Federal Agencies to Address Pulse Secure Vulnerabilities

CISA Issues Deadline for Federal Agencies to Address Pulse Secure Vulnerabilities

Federal agencies have until 5 p.m. Eastern Standard Time April 23 to implement an emergency directive the Cybersecurity and Infrastructure Security Agency issued on vulnerabilities affecting virtual private networking service Pulse Secure Connect, which have already compromised federal agencies.


“The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises affecting U.S. government agencies, critical infrastructure entities, and other private sector organizations by a cyber threat actor—or actors—beginning in June 2020 or earlier related to vulnerabilities in certain Ivanti Pulse Connect Secure products,” reads an alert accompanying the directive.


The directive issued Tuesday evening is CISA’s third emergency directive this year. Last week agencies were ordered to submit reports to CISA following the release of new patches for on-premises Microsoft Exchange Servers and are now facing new compromises of credentials following intrusions by SolarWinds’ hackers that took advantage of their access to legitimate accounts to move around in their networks.


CISA’s directives apply to federal civilian agencies but the defense sector was particularly targeted by one of the threat actors associated with the newest order, according to the cyber intelligence firm FireEye, which suspects that actor is associated with the Chinese government. The Defense Department is also investigating whether it was affected by the vulnerabilities.


“We are aware of the report regarding the vulnerability in Pulse Secure VPN devices,” a DOD spokesperson told Nextgov. “We are assessing potential impact to the Defense Information Network and taking the appropriate steps to protect our data, networks, and systems. We are in close communication with [ ..