"CISA is aware of at least five federal civilian agencies who have run the Pulse Connect Secure Integrity Tool and identified indications of potential unauthorised access," deputy executive assistant director of Cybersecurity, Matt Hartman, said in a statement sent to CNN.
"We are working with each agency to validate whether an intrusion has occurred and will offer incident response support accordingly."
The CISA warned government agencies to guard against vulnerabilities in Pulse Connect Secure products as they were being exploited since 31 March.
"The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence," the advisory said.
"The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching."
On 21 April, security vendor FireEye had warned about the same vulnerabilities after they were disclosed by the vendor, Ivanti.