April 26, 2021

To:  All Regulated Entities

From:  New York Department of Financial Services

Re:  Pulse Connect Secure Critical Vulnerability

On April 20, 2021, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) issued a Cyber Activity Alert (AA21-110A) and an Emergency Directive (21-03) regarding vulnerabilities in certain Ivanti Pulse Connect Secure products, which are widely used for virtual private network (VPN) remote access.  These vulnerabilities are currently being exploited and have affected government agencies, critical infrastructure entities, and other private sector organizations. 

If your company uses Ivanti Pulse Connect Secure products, you should follow CISA’s guidance and immediately run Ivanti’s Pulse Secure Connect Integrity Tool to determine whether your VPN  has been compromised. If it was compromised, you should investigate whether there was malicious activity and implement the mitigations released by Ivanti.  Ivanti is developing a patch, but until it is released, CISA recommends updating to the latest software version

The CISA Alert and Emergency Directive cited above, along with the Pulse Secure blog dated  April 20, 2021, contain more detailed information on this newly discovered compromise.  Specifically, Pulse Secure has identified four issues which are described in Security Advisory SA44784 (CVE-2021-22893), Security Advisory SA44601 (CVE-2020-8260), Security Advisory SA44588 (CVE-2020-8243), and Security Advisory SA44101 (CVE-2019-11510).  Affected products include:

  • Pulse Connect Secure (PCS) 9.1Rx or below
  • Pulse Policy Secure (PPS) 9.1Rx or below
  • Pulse Secure Desktop Client (PDC) 9.1Rx or below

Given the current exploitation of this vulnerability and the widespread use of VPNs, we ask all regulated entities to fill out the following survey by April 30:

https://forms.office.com/Pages/ResponsePage.aspx?id=6rhs9AB5EE2M64Dowcge5-SLrBQ6f4dLodN8CfrSAJ1UNVVROUJZVzZJR0g4NTRVTzdHSzhIWFFDWi4u

Regulated entities should remediate security flaws immediately and are reminded to report Cybersecurity Events pursuant to 23 NYCRR Section 500.17(a) as promptly as possible and within 72 hours at the latest.

Any questions or comments regarding this Alert should be directed to [email protected].