Cyber Threat Alert: Severe Vulnerability in ConnectWise ScreenConnect Exploited

A person in a hooded sweatshirt types on a laptop at a desk. The scene is surrounded by digital icons such as skulls, insects, and binary code, suggesting cyber threats and vulnerabilities. The color scheme is predominantly pink and black, reminiscent of ConnectWise ScreenConnects interface.

What happened?

Two critical vulnerabilities in ConnectWise ScreenConnect servers, version 23.9.7 and earlier, have been disclosed by the vendor last week. Yesterday, 02/21/2024, the technical details and proof-of-concept exploitation of those vulnerabilities were published, too. ConnectWise confirmed earlier that the vulnerabilities are already exploited “in the wild” by malicious hackers.

The first flaw, CVE-2024-1708, is an authentication bypass in ScreenConnect’s setup wizard, possibly allowing users to access the setup wizard even when ScreenConnect had already been set up and set up an (additional) admin account. The second vulnerability, CVE-2024-1709, is a path traversal flaw through which an attacker can manipulate sensitive .xml files through crafted requests. When those requests contain directory traversal sequences, the attacker can navigate into the file system and eventually upload a malicious script or executable file outside the intended subdirectory used by ScreenConnect.

What is the risk?

Unpatched versions of ScreenConnect are now highly vulnerable to targeted attacks, as an exploit POC for those vulnerabilities is available publicly. Such attacks might result in a wide range of impact, from data theft to system compromise or installation of highly persistent tools.

What should MSPs do now?

As per ConnectWise’s official bulletin, users of on-premise ScreenConnect must update their version to 23.9.8.

Cloud users who access ScreenConnect servers hosted in “screenconnect.com” or “hostedrmm.com” should not take any action as the version has been automatically updated.

As the vulnerability occurs in the “SetupWizard.aspx” file (located in ScreenConnect’s program files), which is unnecessary after any setup or update, users should consider deleting the file.

All ScreenConnect server users who have been using the vulnerable versions are advised to investigate possible connections to IP addresses that were used by attackers to exploit the vulnerabilities and keep an eye out for additional intelligence and indicators (see below).

Indicators of Compromise (IOCs)

IOCTypeDescriptionSource
155.133.5.15IPUsed by unspecified attackers to exploit the ScreenConnect critical vulnerabilitiesConnectWise official security bulletin 2024-02-20
155.133.5.14IP
118.69.65.60IP

 If you have any questions or concerns, please feel free to reach out to [email protected].

Categories:

Subscribe to
Our Newsletter.

A person sits in a futuristic control room, resembling an archive, with large screens displaying stars and planets, suggesting space. The background features abstract mountain outlines under a pale sky with a moon.

Guardz, Cybersecurity
Co-Pilot for MSPs

Demonstrate the value you bring to the table as an MSP and gain visibility into your clients’ external postures.
Holistic Protection.
Hassle-Free.
Cost-Effective.

Guide to Boosting Your Email Security

Discover the Power of Cybersecurity for Your MSP Growth.

Dive into the crucial e-mail security protocols (SPF, DKIM, DMARC) to enhance your e-mail protection and make sure your e-mails are delivered in the inbox of your recipients instead of the spam or quarantine folder.

This guide provides you with innovative strategies and expert insights to elevate your MSP business, strengthen client trust, and stay ahead of ever-evolving threats.

A silhouetted astronaut figure stands in an open door frame, like an exit popup against the cosmos, facing a starry sky with a distant planet in view, contrasting with a plain, stark interior.
Graphic showing several yellow envelopes with letters, one red envelope marked by a red exclamation triangle, on a purple background with circuit lines. Green shield icons are on some envelopes, indicating security against cyber risks.

Guide to Boosting Your Email Security

Discover the Power of Cybersecurity for Your MSP Growth.

Dive into the crucial e-mail security protocols (SPF, DKIM, DMARC) to enhance your e-mail protection and make sure your e-mails are delivered in the inbox of your recipients instead of the spam or quarantine folder.

This guide provides you with innovative strategies and expert insights to elevate your MSP business, strengthen client trust, and stay ahead of ever-evolving threats.

Illustration of yellow envelopes with documents against a purple backdrop. Red warning icons with exclamation marks suggest potential cyber risks. Circuit-like lines enhance the background, reminiscent of a Cyber Risk Prospecting Report alert.
Illustration of yellow envelopes on a purple background, with two red envelopes marked by exclamation points, indicating cyber risk warnings. Green shield icons adorn some envelopes, while a radar-like pattern enhances the sense of alertness in the background.