Malwarebytes blogMALWAREBYTES:F0F577283FA844F1B7911EBCEB40F9DEUpdate now! ConnectWise ScreenConnect vulnerability needs your attention
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.8 High
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.935 High
EPSS
Percentile
99.0%
ConnectWise is warning self-hosted and on-premise customers that they need to take immediate action to remediate a critical vulnerability in its ScreenConnect remote desktop software. This software is typically used in data-centers and for remote assistance. Together ConnectWiseβs partners manage millions of endpoints (clients).
A Shadowserver scan revealed approximately 3,800 vulnerable ConnectWise ScreenConnect instances on Wednesday, most of them in the US.
> ~3800 vulnerable ConnectWise ScreenConnect instances (authentication bypass using an alternate path or channel (CVSS 10) & path traversal (CVSS 8.4)) <https://t.co/tPi9ALNVab>
IP data in:<https://t.co/qxv0Gv5ELc>
~93% instances of ScreenConnect seen on 2024-02-20 still vulnerable: <https://t.co/CRpEHutjFS> pic.twitter.com/hiwPqnouby
>
> β Shadowserver (@Shadowserver) February 21, 2024
The Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities Catalog. ConnectWise has shared three IP addresses that were recently used by threat actors:
- 155.133.5.15
- 155.133.5.14
- 118.69.65.60
These IP addresses are all blocked by ThreatDown and Malwarebytes solutions.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The flaw added to the CISA Catalog is CVE-2024-1709, an authentication bypass vulnerability with a CVSS score of 10 that could allow an attacker administrative access to a compromised instance. With administrative access it is trivial to create and upload a malicious ScreenConnect extension to gain Remote Code Execution (RCE).
Affected versions are ScreenConnect 23.9.7 and prior. Cloud partners donβt need to take any actions. ScreenConnect servers hosted in on screenconnect.com and hostedrmm.com have been updated to remediate the issue.
Partners that are self-hosted or on-premise need to update their servers to version 23.9.8 immediately to apply a patch. ConnectWise will also provide updated versions of releases 22.4 through 23.9.7 for the critical issue, but strongly recommends that partners update to ScreenConnect version 23.9.8.
For instructions on updating to the newest release, please reference this doc: Upgrade an on-premise installation - ConnectWise.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
Related
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.8 High
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.935 High
EPSS
Percentile
99.0%