On February 19, 2024, ConnectWise published a security bulletin detailing two critical vulnerabilities within their on-premises ScreenConnect software. At the time of writing, these vulnerabilities do not have CVE numbers assigned to them. ConnectWise has stated that the vulnerabilities have the potential to result in remote code execution (RCE).
Vulnerability #1 (CVSS: 10): Allows a threat actor to achieve authentication bypass by leveraging an alternate path/channel.
Vulnerability #2 (CVSS: 8.4): A path traversal vulnerability that is caused by the improper limitation of a pathname to a restricted directory.
In their advisory, ConnectWise notes that no action is needed for cloud-hosted instances of ScreenConnect on screenconnect.com or hostedrmm.com, as those instances have been updated to remediate the issue. Users running on-premises instances of ScreenConnect version 23.9.7 or lower, however, are advised to immediately upgrade to ScreenConnect version 23.9.8.
ScreenConnect is a widely utilized Remote Monitoring and Management (RMM) tool that has been leveraged by threat actors in the past, often in connection with ransomware attacks. Arctic Wolf assesses with high confidence that threat actors will target these vulnerabilities in the near-term due to the severity of the vulnerabilities including potential for RCE, and the historical use of ScreenConnect by threat actors. Arctic Wolf has not observed active exploitation of these vulnerabilities in the wild or Proof of Concept (PoC) exploits at this time.
Recommendation
Upgrade ConnectWise ScreenConnect to Patched Version
Due to the severity of this vulnerability and the expected low complexity in exploiting it, Arctic Wolf strongly recommends that all organizations running on-premises versions of ConnectWise ScreenConnect update as soon as possible to protect against widespread threat activity that is expected to result from these vulnerabilities.
Product | Affected Versions | Fixed Version |
ConnectWise ScreenConnect | 23.9.7 and prior | 23.9.8 |
Please follow your organization’s patching and testing guidelines to avoid operational impact.
ScreenConnect Cloud Users: No action is required as the ScreenConnect servers hosted in the screenconnect.com cloud or hostedrmm.com have been updated to address the issue.
References
See other important security bulletins from Arctic Wolf.