The security flaw tracked as CVE-2021-22893 is being used by at least two APTs likely linked to China. The zero-day flaw was first disclosed on April 20 and carries the highest possible CVSS severity score, 10 out of 10. It’s related to multiple use-after-free problems in Pulse Connect Secure before version 9.1R11.4, according to the advisory issued Tuesday. The advisory also includes fixes for three other bugs, two of them also critical RCE vulnerabilities.
Source: https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/