Patch these critical ConnectWise ScreenConnect vulnerabilities asap!

ConnectWise is advising users of its ScreenConnect remote desktop software to install patches as soon as possible to address a critical vulnerability that could enable remote code execution and impact data confidentiality.

The flaws, which have not yet been assigned CVE identifiers, include an alternate path/channel authentication bypass and an improper pathname limitation vulnerability. Both the vulnerabilities affect versions 23.9.7 and prior of ScreenConnect, with fixes available in version 23.9.8.

ConnectWise hasn’t observed any exploitation of the vulnerabilities in the wild but are still encouraging users to update to secure versions as soon as possible.

Source: The Hacker News

Analysis

Field Effect can confirm that at least one valid proof-of-concept exploit code exists for these vulnerabilities. As a result, it’s likely only a matter of time before threat actors develop their own exploits and begin to deploy them against unpatched ScreenConnect instances.

Given that ScreenConnect enables users to remotely access the computer, these devices can easily be found using IoT scanning engines like Shodan. According to the Shadowserver Foundation, approximately 4,000 instances of ScreenConnect are deployed worldwide, however, it’s unknown how many of these deployments are vulnerable to the recently discovered vulnerabilities.

Image 1: Map of ConnectWise ScreenConnect instances deployed worldwide (Source: Shadowserver Foundation)

Mitigation

Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like ScreenConnect. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software and devices are detected in their environment and are encouraged to review these AROs as quickly as possible via the Covalence portal.

Field Effect strongly encourages users of affected versions of ScreenConnect to install the latest security patch as soon as possible in accordance with ConnectWise’s advisory. Additionally, users should verify that the IoCs provided by 

Related articles

• Alleged AnyDesk customer information for sale online after breach

• ScreenConnect Vulnerability Reproduced: Immediately Patch to Version 23.9.8