What happened?
Two critical vulnerabilities in ConnectWise ScreenConnect servers, version 23.9.7 and earlier, have been disclosed by the vendor last week. Yesterday, 02/21/2024, the technical details and proof-of-concept exploitation of those vulnerabilities were published, too. ConnectWise confirmed earlier that the vulnerabilities are already exploited “in the wild” by malicious hackers.
The first flaw, CVE-2024-1708, is an authentication bypass in ScreenConnect’s setup wizard, possibly allowing users to access the setup wizard even when ScreenConnect had already been set up and set up an (additional) admin account. The second vulnerability, CVE-2024-1709, is a path traversal flaw through which an attacker can manipulate sensitive .xml files through crafted requests. When those requests contain directory traversal sequences, the attacker can navigate into the file system and eventually upload a malicious script or executable file outside the intended subdirectory used by ScreenConnect.
What is the risk?
Unpatched versions of ScreenConnect are now highly vulnerable to targeted attacks, as an exploit POC for those vulnerabilities is available publicly. Such attacks might result in a wide range of impact, from data theft to system compromise or installation of highly persistent tools.
What should MSPs do now?
As per ConnectWise’s official bulletin, users of on-premise ScreenConnect must update their version to 23.9.8.
Cloud users who access ScreenConnect servers hosted in “screenconnect.com” or “hostedrmm.com” should not take any action as the version has been automatically updated.
As the vulnerability occurs in the “SetupWizard.aspx” file (located in ScreenConnect’s program files), which is unnecessary after any setup or update, users should consider deleting the file.
All ScreenConnect server users who have been using the vulnerable versions are advised to investigate possible connections to IP addresses that were used by attackers to exploit the vulnerabilities and keep an eye out for additional intelligence and indicators (see below).
Indicators of Compromise (IOCs)
IOC | Type | Description | Source |
155.133.5.15 | IP | Used by unspecified attackers to exploit the ScreenConnect critical vulnerabilities | ConnectWise official security bulletin 2024-02-20 |
155.133.5.14 | IP | ||
118.69.65.60 | IP |
If you have any questions or concerns, please feel free to reach out to [email protected].
- Share On: