Federal authorities announced Tuesday that hackers breached multiple government agencies and other critical organizations by exploiting vulnerabilities in products from an Utah-based software company.

“CISA is aware of compromises affecting U.S. government agencies, critical infrastructure entities, and other private sector organizations by a cyber threat actor—or actors—beginning in June 2020 or earlier related vulnerabilities in certain Ivanti Pulse Connect Secure products,” the Cybersecurity and Infrastructure Security Agency (CISA) said in an alert.

The agency, which is the Department of Homeland Security’s cybersecurity arm, noted that it had been assisting compromised organizations since March 31, and that the hackers used vulnerabilities to place webshells in the Pulse Connect Secure products, which allowed them to bypass passwords, multi-factor authentication, and other security features.

The agency wrote that Ivanti was developing a patch for these vulnerabilities, and that it “strongly encouraged” all organizations using these products to update to the newest version and investigate for signs of compromise.