We appreciate researchers, institutions, and media informing the public of vulnerabilities, risks, and the importance of patching susceptible systems. A recent article discussed a derivative exposure stemming from an old vulnerability (CVE-2019-11510) that was resolved with a patch fix made available by Pulse Secure in April 2019 – as publicly communicated in our security advisory SA44101. We estimate that over 97% of customers have applied the patch and are no longer vulnerable. We continue to urge our remaining customers that have not patched their Pulse Secure VPN servers to do so immediately.
As a global cybersecurity vendor, we have the responsibility to verify and respond to flaws, and to help defend the digital welfare of our customers. Unfortunately, as systems, infrastructure, threat actors and attack vectors evolve, it is inevitable that security solutions will have vulnerabilities that need to the resolved. Vulnerabilities are commonplace in our industry whether you are among large vendors or small vendors – all members of the infosec community take remediating threats with the utmost importance. As such, we have dedicated resources and follow best practices to address these issues, readily sharing threat intelligence so that everyone benefits.
Pulse Secure publicly provided a patch fix and vulnerability details on April 24, 2019 – months before the vulnerability was publicized. From that time, Pulse Secure has been reaching out to our customers and partners, by phone, email, in-product alerts, and through our community and partner portal to notify them of the urgency to install the server-side patch fix and to change system access credentials to their VPN appliances.
We have maintained updates on the vulnerability and implementation guidelines. Our support team has also been working directly with customers, providing 24/7 support to any customer who needs assistance deploying the patch fix regardless of whether they have an active maintenance contract or not.
We have already contacted customers multiple times that appear to have vulnerable systems using contact information available to us, and we will earnestly continue to do so.
We urge all customers to immediately deploy the security patch fix and to update their VPN system access credentials. Customers can obtain the most current advisory update at our support portal and can contact Pulse Secure support for direct assistance.
Vice President, WW Customer Success
Chief Marketing Officer