ConnectWise ScreenConnect Security Warning Banner

​​​​​​​ConnectWise has issued a critical warning to its customers, urging them to swiftly patch their ScreenConnect servers to mitigate a severe vulnerability that could lead to remote code execution (RCE) attacks.

The vulnerability stems from an authentication bypass weakness, potentially granting attackers unauthorized access to sensitive data or enabling the execution of arbitrary code on vulnerable servers. What's alarming is that these attacks are low-complexity and require no user interaction, magnifying the urgency for immediate action.

In addition to addressing the authentication bypass flaw, ConnectWise has also patched a path traversal vulnerability in its remote desktop software. While the latter vulnerability demands attackers to possess elevated privileges, it nonetheless poses a significant security risk.

ConnectWise disclosed that the vulnerabilities were reported through their vulnerability disclosure channel via the ConnectWise Trust Center on February 13, 2024. While there's currently no evidence of exploitation in the wild, the company emphasises the critical need for on-premise partners to promptly address these security risks.

As of now, ConnectWise has yet to assign CVE IDs to these vulnerabilities, which impact all servers running ScreenConnect 23.9.7 and earlier versions. While ScreenConnect cloud servers hosted on or are already safeguarded against potential attacks, on-premise software users are strongly advised to update to ScreenConnect version 23.9.8 without delay.

This warning from ConnectWise comes in the wake of a joint advisory issued by CISA, the NSA, and MS-ISAC, highlighting the increasing exploitation of legitimate remote monitoring and management (RMM) software like ConnectWise ScreenConnect for malicious purposes. Threat actors capitalise on these platforms to gain unauthorised access to networks, bypassing security controls and perpetrating various nefarious activities, from data theft to deploying ransomware payloads.

Threat actors have been observed utilising local ScreenConnect instances for persistent access to compromised networks, indicative of the severity and persistence of this threat vector.

Managed service providers utilising ScreenConnect are urged to prioritise patching to mitigate the risk of exploitation and safeguard their networks from potential compromise and malicious activities.

Date Published
February 21, 2024