CVE-2021-22893
published 2021-04-23CVE-2021-22893: Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure…
PriorityP198critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
47.17%
98.7th percentile
Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | pulse_connect_secure | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
51288, 51289, 51390, 57452-57459, 57461-57468
- →CVE-2021-22893 exploits the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure; monitor for unauthenticated requests targeting these specific features on PCS gateways. ↗
- →Enable SSL/TLS decryption in Cisco Secure Firewall and Snort to detect exploitation attempts, as the vulnerable application leverages SSL. ↗
- →Threat actors covering tracks on compromised Pulse/Ivanti appliances by overwriting files, time-stomping files, and re-mounting the runtime partition; look for these anti-forensic behaviors in host-based telemetry. ↗
- →Web shells deployed on compromised Pulse/Ivanti appliances may show no file mismatches in integrity checks; do not rely solely on ICT scan results for compromise detection. ↗
- ·CVE-2021-22893 affects Pulse Connect Secure 9.0R3/9.1R1 and higher; versions below 9.0R3 are not listed as affected. ↗
- ·Ivanti's internal and previous external Integrity Checker Tool (ICT) is not sufficient to detect compromise; root-level persistence may survive factory resets. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hcxw-prp6-q3jq: Pulse Connect Secure 9
ghsa_unreviewed·2022-05-24
CVE-2021-22893 [CRITICAL] CWE-287 GHSA-hcxw-prp6-q3jq: Pulse Connect Secure 9
Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.
VulnCheck
Ivanti Pulse Connect Secure Use-After-Free Vulnerability
vulncheck·2021·CVSS 10.0
CVE-2021-22893 [CRITICAL] CWE-287 Ivanti Pulse Connect Secure Use-After-Free Vulnerability
Ivanti Pulse Connect Secure Use-After-Free Vulnerability
Ivanti Pulse Connect Secure contains a use-after-free vulnerability that allow a remote, unauthenticated attacker to execute code via license services.
Affected: Ivanti Connect Secure and Policy Secure
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://us-cert.cisa.gov/ncas/alerts/aa21-110a; https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; https://www.mandiant.com/resources/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day; https://www.cve.org/CVERecord?id=CVE-2021-22893; https://cisa.gov/news-events/analysis-reports/ar21-112a; https://www.mandiant.com/reso
Ivanti
Pulse Connect Secure RCE (exploited by APT)
vendor_ivanti·2021-11-03·CVSS 10.0
CVE-2021-22893 [CRITICAL] Pulse Connect Secure RCE (exploited by APT)
Pulse Connect Secure RCE (exploited by APT)
Ivanti Pulse Connect Secure contains a use-after-free vulnerability that allow a remote, unauthenticated attacker to execute code via license services.
CVE IDs: CVE-2021-22893
Affected products: Pulse Connect Secure
This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
Required Action: Apply updates per vendor instructions.
Remediation Due Date: 2022-05-03
Known to be used in ransomware campaigns.
CISA
Ivanti Pulse Connect Secure Use-After-Free Vulnerability
cisa·2021-11-03·CVSS 10.0
CVE-2021-22893 [CRITICAL] CWE-287 Ivanti Pulse Connect Secure Use-After-Free Vulnerability
Vulnerability: Ivanti Pulse Connect Secure Use-After-Free Vulnerability
Affected: Ivanti Pulse Connect Secure
Ivanti Pulse Connect Secure contains a use-after-free vulnerability that allow a remote, unauthenticated attacker to execute code via license services.
Required Action: Apply updates per vendor instructions.
Notes: Reference CISA's ED 21-03 (https://www.cisa.gov/news-events/directives/ed-21-03-mitigate-pulse-connect-secure-product-vulnerabilities) for further guidance and requirements. Note: The due date for addressing this vulnerability aligns with the requirements outlined in ED 21-03. https://nvd.nist.gov/vuln/detail/CVE-2021-22893
Remediation Due Date: 2022-05-03
Suricata
ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M2
suricata·2021-05-05·CVSS 10.0
CVE-2021-22893 [CRITICAL] ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M2
ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M2
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M2"; flow:established,to_server; http.uri.raw; content:"/dana-na/"; depth:11; content:"cat%20/home/webserver/htdocs/dana-na/"; nocase; distance:2; within:100; fast_pattern; content:!"welcome.cgi"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; reference:cve,2021-22893; classtype:attempted-admin; sid:2032905; rev:1; metadata:affected_product Pulse_Secure, attack_target Networking_Equipment, created_at 2021_05_05, cve
Suricata
ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M3
suricata·2021-05-05·CVSS 10.0
CVE-2021-22893 [CRITICAL] ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M3
ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M3
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M3"; flow:established,to_server; content:"MIME|3a 3a|Base64|3b|"; nocase; http.uri; content:"/dana-na/"; depth:11; fast_pattern; content:!"welcome.cgi"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; reference:cve,2021-22893; classtype:trojan-activity; sid:2032906; rev:1; metadata:affected_product Pulse_Secure, created_at 2021_05_05, cve CVE_2021_22893, confidence High, signature_severity Major, tag CISA_KEV, tag De
Suricata
ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M1
suricata·2021-05-05·CVSS 10.0
CVE-2021-22893 [CRITICAL] ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M1
ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M1
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M1"; flow:established,to_server; http.uri; content:"/dana"; depth:7; fast_pattern; pcre:"/^\S{0,7}\/(?:meeting|fb\/smb|namedusers|metric)/Ri"; content:!"welcome.cgi"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; reference:cve,2021-22893; classtype:attempted-admin; sid:2032904; rev:1; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_05_05, cve CVE_2021_22893, deployment Perimeter, deplo
No public exploits indexed.
Tenable
CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
blogs_tenable·2025-01-08·CVSS 9.0
[CRITICAL] CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks
blogs_bleepingcomputer·2024-04-03·CVSS 8.2
CVE-2024-21894 [HIGH] Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks
## Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks
## Sergiu Gatlan
Update 4/5/25: ShadowServer says there are 16,000 exposed devices likely vulnerable to this flaw .
IT security software company Ivanti has released patches to fix multiple security vulnerabilities impacting its Connect Secure and Policy Secure gateways.
Unauthenticated attackers can exploit one of them, a high-severity flaw tracked as CVE-2024-21894, to gain remote code execution and trigger denial of service states on unpatched appliances in low-complexity attacks that don't require user interaction.
The vulnerability is caused by a heap overflow weakness in the IPSec component of all supported gateway versions.
While Ivanti said the remote code execution risks are limited to "certain conditions," t
Bleepingcomputer
Ivanti fixes critical Standalone Sentry bug reported by NATO
blogs_bleepingcomputer·2024-03-20·CVSS 8.8
CVE-2023-41724 [HIGH] Ivanti fixes critical Standalone Sentry bug reported by NATO
## Ivanti fixes critical Standalone Sentry bug reported by NATO
## Sergiu Gatlan
Ivanti warned customers to immediately patch a critical severity Standalone Sentry vulnerability reported by NATO Cyber Security Centre researchers.
Standalone Sentry is deployed as an organization's Kerberos Key Distribution Center Proxy (KKDCP) server or as a gatekeeper for ActiveSync-enabled Exchange and Sharepoint servers.
Tracked as CVE-2023-41724 , the security flaw impacts all supported versions and it allows unauthenticated bad actors within the same physical or logical network to execute arbitrary commands in low-complexity attacks.
Ivanti also fixed a second critical vulnerability ( CVE-2023-46808 ) in its Neurons for ITSM IT service management solution that enables remote threat actors with acc
Bleepingcomputer
CISA cautions against using hacked Ivanti VPN gateways even after factory resets
blogs_bleepingcomputer·2024-02-29·CVSS 8.2
[HIGH] CISA cautions against using hacked Ivanti VPN gateways even after factory resets
## CISA cautions against using hacked Ivanti VPN gateways even after factory resets
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed today that attackers who hack Ivanti VPN appliances using one of multiple actively exploited vulnerabilities may be able to maintain root persistence even after performing factory resets.
Furthermore, they can also evade detection by Ivanti's internal and external Integrity Checker Tool (ICT) on Ivanti Connect Secure and Policy Secure gateways compromised using CVE-2023-46805 , CVE-2024-21887 , CVE-2024-22024 , and CVE-2024-21893 exploits.
The four vulnerabilities' severity ratings range from high to critical, and they can be exploited for authentication bypass, command injection, server-side-request forgery, and
Bleepingcomputer
CISA: Critical Ivanti auth bypass bug now actively exploited
blogs_bleepingcomputer·2024-01-18·CVSS 9.8
CVE-2023-35082 [CRITICAL] CISA: Critical Ivanti auth bypass bug now actively exploited
## CISA: Critical Ivanti auth bypass bug now actively exploited
## Sergiu Gatlan
CISA warns that a critical authentication bypass vulnerability in Ivanti's Endpoint Manager Mobile (EPMM) and MobileIron Core device management software (patched in August 2023 ) is now under active exploitation.
Tracked as CVE-2023-35082 , the flaw is a remote unauthenticated API access vulnerability affecting all versions of EPMM 11.10, 11.9, and 11.8 and MobileIron Core 11.7 and below,.
Successful exploitation provides attackers access to personally identifiable information (PII) of mobile device users and can let them backdoor compromised servers when chaining the bug with other flaws.
"Ivanti has an RPM script available now. We recommend customers first upgrade to a supported version and then apply t
Bleepingcomputer
Ivanti Connect Secure zero-days now under mass exploitation
blogs_bleepingcomputer·2024-01-15·CVSS 8.2
CVE-2023-46805 [HIGH] Ivanti Connect Secure zero-days now under mass exploitation
## Ivanti Connect Secure zero-days now under mass exploitation
## Sergiu Gatlan
Two zero-day vulnerabilities affecting Ivanti's Connect Secure VPN and Policy Secure network access control (NAC) appliances are now under mass exploitation.
As discovered by threat intelligence company Volexity, which also first spotted the zero-days being used in attacks since December , multiple threat groups chain the CVE-2023-46805 authentication bypass and the CVE-2024-21887 command injection vulnerabilities in widespread attacks starting January 11.
"Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals," Volexity warned today.
The attackers backdo
Bleepingcomputer
Ivanti warns of Connect Secure zero-days exploited in attacks
blogs_bleepingcomputer·2024-01-10·CVSS 8.2
CVE-2023-46805 [HIGH] Ivanti warns of Connect Secure zero-days exploited in attacks
## Ivanti warns of Connect Secure zero-days exploited in attacks
## Sergiu Gatlan
Ivanti has disclosed two Connect Secure (ICS) and Policy Secure (IPS) zero-days exploited by suspected Chinese hackers in the wild that can let remote attackers execute arbitrary commands on targeted gateways.
The first security flaw (CVE-2023-46805) is an authentication bypass in the appliances' web component, enabling attackers to access restricted resources by circumventing control checks, while the second (tracked as CVE-2024-21887) is a command injection vulnerability that lets authenticated admins execute arbitrary commands on vulnerable appliances by sending specially crafted requests.
When successfully chaining the two zero days, threat actors can run arbitrary commands on all supported versions o
Tenable
CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways
blogs_tenable·2024-01-10·CVSS 8.2
[HIGH] CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
2021 Threat Landscape Retrospective
blogs_tenable·2022-11-07
2021 Threat Landscape Retrospective
by Cody Dumont November 7, 2022
2021 was certainly a turbulent year, punctuated with the revelation of a critical vulnerability in the widely-used Apache Log4j library. The lingering Covid-19 pandemic had already accelerated online and cloud migration, providing ripe targets for attackers. Organizations were faced with higher risks from interconnectivity resulting in major disruption from breaches, ransomware attacks, and attacks on the software supply chain. Tenable’s 2021 Threat Landscape Retrospective (TLR) provides valuable lessons learned as attackers relentlessly exploited the software supply chain. Cyber security practices need to evolve to address modern technology deployments. This dashboard leverages Tenable’s 2021 Threat Landscape Retrospective to identify the most notable cybe
Tenable
Behind the Scenes: How We Picked 2021’s Top Vulnerabilities – and What We Left Out
blogs_tenable·2022-03-11
Behind the Scenes: How We Picked 2021’s Top Vulnerabilities – and What We Left Out
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
Tenable
Hold the Door: Why Organizations Need to Prioritize Patching SSL VPNs
blogs_tenable·2021-08-25
Hold the Door: Why Organizations Need to Prioritize Patching SSL VPNs
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
CISA Alert: Top Routinely Exploited Vulnerabilities | Qualys
blogs_qualys·2021-07-29·CVSS 10.0
[CRITICAL] CISA Alert: Top Routinely Exploited Vulnerabilities | Qualys
#### Table of Contents
- Top Routinely Exploited Vulnerabilities
- Detect CISAs Top Routinely Exploited Vulnerabilities using Qualys VMDR
- Recommendations
- Remediation and Mitigation
- Get Started Now
On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity advisory detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.
The advisory states, “If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the large
Securelist
APT trends report Q2 2021
blogs_securelist·2021-07-29
APT trends report Q2 2021
Table of Contents
The most remarkable findings
Russian-speaking activity
Chinese-speaking activity
Middle East
Southeast Asia and Korean Peninsula
Other interesting discoveries
Final thoughts
Authors
GReAT
For more than four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q2 2021.
Readers who would like to learn
Qualys
CISA Alert: Top Routinely Exploited Vulnerabilities
blogs_qualys·2021-07-29·CVSS 9.1
[CRITICAL] CISA Alert: Top Routinely Exploited Vulnerabilities
## Table of Contents
Top Routinely Exploited Vulnerabilities
Detect CISAs Top Routinely Exploited Vulnerabilities using Qualys VMDR
Recommendations
Remediation and Mitigation
Get Started Now
On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity advisory detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.
The advisory states, “If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest numbe
Securelist
APT trends report Q2 2021
blogs_securelist·2021-07-29
APT trends report Q2 2021
Table of Contents
- The most remarkable findings
- Russian-speaking activity
- Chinese-speaking activity
- Middle East
- Southeast Asia and Korean Peninsula
- Other interesting discoveries
- Final thoughts
Authors
- GReAT
For more than four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q2 2021.
Readers who would lik
Zscaler
Reduce Business Risk by Eliminating the VPN Attack Surface
blogs_zscaler·2021-05-27
Reduce Business Risk by Eliminating the VPN Attack Surface
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Qualys
Microsoft & Adobe Patch Tuesday (May 2021) – Qualys covers 85 Vulnerabilities, 26 Critical
blogs_qualys·2021-05-11·CVSS 9.9
CVE-2021-31181 [CRITICAL] Microsoft & Adobe Patch Tuesday (May 2021) – Qualys covers 85 Vulnerabilities, 26 Critical
## Microsoft Patch Tuesday – May 2021
Microsoft patched 55 CVEs in their May 2021 Patch Tuesday release, of which 4 are rated as critical severity. Three 0-day vulnerability patches were included in the release. As of this publication date, none have been exploited.
Qualys released 12 QIDs on the same day, providing vulnerability detection and patch management coverage (where applicable) for all 55 CVEs and the related KBs.
## Critical Microsoft vulnerabilities patched:
CVE-2021-31181 – SharePoint Remote Code Execution Vulnerability
Microsoft released patches addressing a critical RCE vulnerability in SharePoint (CVE-2021-31181). This CVE has a high likelihood of exploitability and is assigned a CVSSv3 base score of 8.8 by the vendor.
CVE-2021-31166 – HTTP Protocol Stack Remote Code
Qualys
Microsoft & Adobe Patch Tuesday (May 2021) - Qualys covers 85 Vulnerabilities, 26 Critical | Qualys
blogs_qualys·2021-05-11·CVSS 9.9
CVE-2021-31181 [CRITICAL] Microsoft & Adobe Patch Tuesday (May 2021) - Qualys covers 85 Vulnerabilities, 26 Critical | Qualys
### Microsoft Patch Tuesday – May 2021
Microsoft patched 55 CVEs in their May 2021 Patch Tuesday release, of which 4 are rated as critical severity. Three 0-day vulnerability patches were included in the release. As of this publication date, none have been exploited.
Qualys released 12 QIDs on the same day, providing vulnerability detection and patch management coverage (where applicable) for all 55 CVEs and the related KBs.
#### Critical Microsoft vulnerabilities patched:
CVE-2021-31181 – SharePoint Remote Code Execution Vulnerability
Microsoft released patches addressing a critical RCE vulnerability in SharePoint (CVE-2021-31181). This CVE has a high likelihood of exploitability and is assigned a CVSSv3 base score of 8.8 by the vendor.
CVE-2021-31166 – HTTP Protocol Stack Remote Co
Checkpoint
10th May – Threat Intelligence Report
blogs_checkpoint·2021-05-10
CVE-2021-22893 10th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 10th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 10th May, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Ransomware attack has shut down the routine operations of Colonial Pipeline, which carries 45% of the fuel consumed in the US East Coast, including diesel, petrol and jet fuel. The alleged Russian DarkSide ransomware criminal group, which operates in an as-a-service model, is speculated to be behind this attack.
Belnet, a promin
Talos
Threat Source Newsletter (April 29, 2021)
blogs_talos·2021-04-29
Threat Source Newsletter (April 29, 2021)
Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
Ransomware is not just financial extortion. It is crime that transcends business, academic and geographic boundaries. Talos was proud to assist with a newly released report from the international Ransomware Task Force that provides a path forward to mitigate this criminal enterprise. This was a large undertaking by Talos researchers and our cybersecurity partners from across the globe that everyone should read.
And if you're in the mood to watch rather than read, we uploaded a recording of a LinkedIn Live video from earlier this week to our YouTube page. Martin Lee from Talos Outreach joined security blogger Graham Cluley to discuss cybersecurity threats during our current (and likely permanent) work from home situation.
Talos
Threat Source Newsletter (April 29, 2021)
blogs_talos·2021-04-29
Threat Source Newsletter (April 29, 2021)
## Threat Source Newsletter (April 29, 2021)
Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
Ransomware is not just financial extortion. It is crime that transcends business, academic and geographic boundaries. Talos was proud to assist with a newly released report from the international Ransomware Task Force that provides a path forward to mitigate this criminal enterprise. This was a large undertaking by Talos researchers and our cybersecurity partners from across the globe that everyone should read.
And if you're in the mood to watch rather than read, we uploaded a recording of a LinkedIn Live video from earlier this week to our YouTube page. Martin Lee from Talos Outreach joined security blogger Graham Cluley to discuss cybersecurity threats during our current (a
Talos
Threat Advisory: Pulse Secure Connect Coverage
blogs_talos·2021-04-22·CVSS 10.0
CVE-2021-22893 [CRITICAL] Threat Advisory: Pulse Secure Connect Coverage
## Threat Advisory: Pulse Secure Connect Coverage
Pulse Secure announced that a critical vulnerability (CVE-2021-22893) was discovered in their VPN service "Pulse Secure Connect" in a recent security advisory .
The advisory states that, "a vulnerability was discovered under Pulse Connect Secure (PCS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment."
The company released a blog post alongside this advisory disclosing that the vulnerability has been exploited in the wild. According to the blog post, several other previously known vulnerabilities were exploited during these
Talos
Threat Advisory: Pulse Secure Connect Coverage
blogs_talos·2021-04-22·CVSS 10.0
CVE-2021-22893 [CRITICAL] Threat Advisory: Pulse Secure Connect Coverage
Pulse Secure announced that a critical vulnerability (CVE-2021-22893) was discovered in their VPN service "Pulse Secure Connect" in a recent security advisory.
The advisory states that, "a vulnerability was discovered under Pulse Connect Secure (PCS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment."
The company released a blog post alongside this advisory disclosing that the vulnerability has been exploited in the wild. According to the blog post, several other previously known vulnerabilities were exploited during these incidents:
- CVE-2019-11510
- CVE-2020-8243
- CVE-2
Tenable
CVE-2021-22893: Zero-Day Vulnerability in Pulse Connect Secure Exploited in the Wild
blogs_tenable·2021-04-20·CVSS 10.0
[CRITICAL] CVE-2021-22893: Zero-Day Vulnerability in Pulse Connect Secure Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
https://blog.pulsesecure.net/pulse-connect-secure-security-update/https://kb.cert.org/vuls/id/213092https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.htmlhttps://blog.pulsesecure.net/pulse-connect-secure-security-update/https://kb.cert.org/vuls/id/213092https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.htmlhttps://www.kb.cert.org/vuls/id/213092https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22893
2021-04-23
Published
2021-11-03
Added to CISA KEV
Exploited in the wild