10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.935 High
EPSS
Percentile
99.0%
On February 19, 2024 ConnectWise disclosed two vulnerabilities in their ScreenConnect remote access software. Both vulnerabilities affect ScreenConnect 23.9.7 and earlier. Neither vulnerability had a CVE assigned at time of disclosure, but as of February 21, CVEs have been assigned to both issues mentioned in ConnectWiseโs advisory:
ScreenConnect is popular remote access software used by many organizations globally; it has also been abused by adversaries in the past. There appear to be some 7,500+ instances of ScreenConnect exposed to the public internet. The vulnerabilities were not****known to be exploited in the wild when they were disclosed, but as of the evening of February 20,ConnectWise has indicated they have confirmed compromises arising from exploitation of these vulnerabilities. Rapid7 Managed Detection and Response (MDR) has also observed successful exploitation in customer environments.
Security news media and security vendors are raising strong alarms about the ScreenConnect vulnerabilities, largely because of the potential for attackers to exploit vulnerable ScreenConnect instances to then push ransomware to downstream clients. This may be a particular concern for managed service providers (MSPs) or managed security services providers (MSSPs) who use ScreenConnect to remotely manage client environments.
All versions of ConnectWise ScreenConnect before 23.9.8 are vulnerable to these (CVE-less) issues. Customers who have on-premise ScreenConnect instances in their environments should apply the 23.9.8 update on an emergency basis, per ConnectWiseโs guidance. The vendor has also published several indicators of compromise (IOCs) in their advisory that organizations can hunt for. Rapid7 strongly recommends looking for signs of compromise even after the patch has been applied.
ConnectWise have also removed licensing restrictions to allow partners to update to supported systems, and they have updated their advisory to note the following: โConnectWise has rolled out an additional mitigation step for unpatched, on-premise users that suspends an instance if it is not on version 23.9.8 or later. If your instance is found to be on an outdated version, an alert will be sent with instructions on how to perform the necessary actions to release the server.โ
InsightVM and Nexpose customers can assess their exposure to these vulnerabilities with authenticated vulnerability checks available in the February 21 content release.
InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7โs expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections deployed and alerting on activity related to these vulnerabilities:
_Note: _In order for Rapid7 to alert on the rule Attacker Technique: ConnectWise ScreenConnect Exploit Adding a New User
, customers will have to ensure that a hostโs Advanced Security Audit Policy Settings for Kernel Object is configured to log Windows EventID 4663 and have a SACL set on ScreenConnectโs directory. More information on how to configure the Advanced Audit Policy is available here.
A Velociraptor artifact is available here to assist in hunting for indicators of compromise. A Metasploit module is available here (pending final merge and release).
February 21, 2024: Updated to include CVEs (CVE-2024-1708, CVE-2024-1709) and to note exploitation in the wild. Rapid7 MDR has also observed exploitation in customer environments. Updated with availability of vulnerability checks to InsightVM and Nexpose customers.
February 22, 2024: New detection rule added for InsightIDR and MDR customers (Attacker Technique: ConnectWise ScreenConnect Exploit Adding a New User)
February 23, 2024: Velociraptor artifact now available, Metasploit module in development. Changes to ConnectWise advisory guidance have been added to the Mitigation guidance
section of this blog.
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.935 High
EPSS
Percentile
99.0%