ConnectWise has issued a patch for its ScreenConnect product to fix two vulnerabilities that provide a low-effort authentication bypass and path traversal, potentially allowing remote code execution or access to private systems and data. Admins are encouraged to apply the patch ASAP.
Summary
Two vulnerabilities were disclosed to ConnectWise on Feb 13, 2024, which have been verified and patched in version 23.9.8:
- CWE-288 – Authentication bypass using an alternate path or channel (CVSS 10)
- CWE-22 – Improper limitation of pathname to a restricted directory (CVSS 8.4)
Per the advisory from ConnectWise updated February 20, 2024, both vulnerabilities are ranked as critical severity with high priority, as they risk being targeted for exploit in the wild. It’s recommended to install updates as soon as possible.
Affected Versions
- ScreenConnect 23.9.7 and prior
Indicators of Compromise
As of February 20, IOCs have been added to the ScreenConnect advisory to allow monitoring of exploit attempts. The following IP addresses were recently used by threat actors per ConnectWise:
- 155.133.5.15
- 155.133.5.14
- 118.69.65.60
Remediation
ScreenConnect cloud servers hosted on screenconnect.com cloud or hostedrmm.com are already patched and protected. Admins using on-prem software are advised to update their servers to ScreenConnect version 23.9.8 immediately.
Resources
- ConnectWise advisory
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 - Instructions on updating on-prem ConnectWise servers
https://docs.connectwise.com/ConnectWise_ScreenConnect_Documentation/On-premises/Get_started_with_ConnectWise_ScreenConnect_On-Premise/Upgrade_an_on-premises_installation - Bleeping Computer article
https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/
