Pulse Secure Urges Patch Deployment After VPN Server Passwords Leaked

The developer of secure access solutions said it estimates that 97 percent of customers have already applied the patch.

Pulse Secure, a developer of secure access solutions, on Wednesday urged customers to install a security patch to address a well-known VPN server vulnerability, after reports emerged of server usernames and passwords being posted online.

The vulnerability was reported and patched by Pulse Secure more than a year ago, and an estimated 97 percent of customers have implemented the patch so far, the company said.

[Related: Pulse Secure Revamps Partner Program With Debut Of Rebates, MDF]

However, the San Jose, Calif.-based company acknowledged that some VPN servers are still susceptible to exploits stemming from the CVE-2019-11510 vulnerability.

“We urge all our customers to deploy the security patch fix, available since April 2019, to protect themselves from threat actors and potential attacks,” said Scott Gordon, chief marketing officer at Pulse Secure, in a statement provided to CRN. “We have already contacted customers that have yet to apply the patch fix multiple times using contact information available to us, and we will continue to do so until they deploy the patch to all their systems.”

The statement followed reports by outlets including ZDNet that a hacker had leaked usernames, passwords and IP addresses for more than 900 VPN servers from Pulse Secure. The information was posted on an online forum for hackers that multiple ransomware groups are known to frequent, according to ZDNet.

In its statement, Pulse Secure said it appreciated the help from researchers and media outlets with “highlighting the risks and importance of patching vulnerability systems - in particular informing the industry of those Pulse Secure VPN servers that have not been updated by their respective owners and remain vulnerable.”

“These and other derivative exploits relate to CVE-2019-11510, which was a vulnerability that was publicly patched and reported by Pulse Secure in April 2019. Pulse Secure had also issued a security advisory SA44101 and our company has been pro-actively contacting all customers to apply the patch fix. We estimate that over 97 percent of customers have applied the patch are no longer vulnerable,” Pulse Secure said in its statement.

“Since April of 2019, Pulse Secure has been reaching out to customers by phone, email, in-product alerts and through online notifications to install the server-side patch fix and change their system access credentials immediately to all their VPN appliances,” the company said. “Our support team has also been providing 24/7 support to any customer who needs assistance deploying the patch fix regardless of whether they have an active maintenance contract or not.”