Pulse Secure: 2,500 VPN servers worldwide vulnerable to CVE-2019-11510 critical security flaw

UK plays host to 149 unpatched Pulse Secure VPN servers vulnerable to flaw favoured by Iranian state-backed hackers

The number of Pulse Secure VPN servers vulnerable to critical security flaw CVE-2019-11510 stands at 2,495 worldwide more than six months after the security flaw was first publicised.

The security flaw has been actively exploited for months by attackers of various shades, including hackers linked to the Iranian state, with the UK's National Cyber Security Centre issuing a public warning as long ago as October.

It is also believed that the attackers behind the ransomware that took Travelex offline for more than a month used a vulnerable Pulse Secure VPN server as their entry point, taking several months over reconnaissance before launching their attack on New Year's Eve when IT staff numbers would be minimal.

Even after patches have been applied, organisations will need to conduct scans to ensure that attackers haven't already surreptitiously breached their network and left behind tools enabling them to return later, unobserved.

The figures come from security firm Bad Packets, which has been running regular worldwide scans to uncover servers running dangerously unpatched software, not just Pulse Secure VPN servers, but also unpatched Citrix NetScaler servers.

The scan this week found that the UK hosts 149 vulnerable Pulse Secure VPN servers, while the US tops the list with 718, followed by Japan with 332. Troy Mursch, the security specialist behind Bad Packets, has put together a Google Docs spreadsheet to keep track of the unpatched servers and their locations.

In a scan last week, Bad Packets also found thousands of servers worldwide that still hadn't been patched to protect Citrix NetScaler and ADC servers from the CVE-2019-19781 security flaw, publicised in December, but only belatedly patched by the company in mid-January.

A total of 5,915 systems around the world remain unprotected against CVE-2019-19781, with 40 per cent of the total located in the US. Exploits have been circulating for weeks, with attacks already believed to have been carried out. The UK, meanwhile, still hosts some 388 vulnerable Citrix servers, despite patches for most versions of the software being issued on 19th January, with the final patches outed on 24th January.

Again, organisations applying patches will need to scan their networks thoroughly after patching to ensure that they have not already surreptitiously been breached.