Cyber Threat Alert: Severe Vulnerability in ConnectWise ScreenConnect Exploited

What happened?

Two critical vulnerabilities in ConnectWise ScreenConnect servers, version 23.9.7 and earlier, have been disclosed by the vendor last week. Yesterday, 02/21/2024, the technical details and proof-of-concept exploitation of those vulnerabilities were published, too. ConnectWise confirmed earlier that the vulnerabilities are already exploited “in the wild” by malicious hackers.

The first flaw, CVE-2024-1708, is an authentication bypass in ScreenConnect’s setup wizard, possibly allowing users to access the setup wizard even when ScreenConnect had already been set up and set up an (additional) admin account. The second vulnerability, CVE-2024-1709, is a path traversal flaw through which an attacker can manipulate sensitive .xml files through crafted requests. When those requests contain directory traversal sequences, the attacker can navigate into the file system and eventually upload a malicious script or executable file outside the intended subdirectory used by ScreenConnect.

What is the risk?

Unpatched versions of ScreenConnect are now highly vulnerable to targeted attacks, as an exploit POC for those vulnerabilities is available publicly. Such attacks might result in a wide range of impact, from data theft to system compromise or installation of highly persistent tools.

What should MSPs do now?

As per ConnectWise’s official bulletin, users of on-premise ScreenConnect must update their version to 23.9.8.

Cloud users who access ScreenConnect servers hosted in “screenconnect.com” or “hostedrmm.com” should not take any action as the version has been automatically updated.

As the vulnerability occurs in the “SetupWizard.aspx” file (located in ScreenConnect’s program files), which is unnecessary after any setup or update, users should consider deleting the file.

All ScreenConnect server users who have been using the vulnerable versions are advised to investigate possible connections to IP addresses that were used by attackers to exploit the vulnerabilities and keep an eye out for additional intelligence and indicators (see below).

Indicators of Compromise (IOCs)

IOCTypeDescriptionSource
155.133.5.15IPUsed by unspecified attackers to exploit the ScreenConnect critical vulnerabilitiesConnectWise official security bulletin 2024-02-20
155.133.5.14IP
118.69.65.60IP

 If you have any questions or concerns, please feel free to reach out to [email protected].

Categories:

Guardz, Cybersecurity
Co-Pilot for MSPs

Demonstrate the value you bring to the table as an MSP and gain visibility into your clients’ external postures.
Holistic Protection.
Hassle-Free.
Cost-Effective.

Guide to Boosting Your Email Security

Discover the Power of Cybersecurity for Your MSP Growth.

Dive into the crucial e-mail security protocols (SPF, DKIM, DMARC) to enhance your e-mail protection and make sure your e-mails are delivered in the inbox of your recipients instead of the spam or quarantine folder.

This guide provides you with innovative strategies and expert insights to elevate your MSP business, strengthen client trust, and stay ahead of ever-evolving threats.

Guide to Boosting Your Email Security

Discover the Power of Cybersecurity for Your MSP Growth.

Dive into the crucial e-mail security protocols (SPF, DKIM, DMARC) to enhance your e-mail protection and make sure your e-mails are delivered in the inbox of your recipients instead of the spam or quarantine folder.

This guide provides you with innovative strategies and expert insights to elevate your MSP business, strengthen client trust, and stay ahead of ever-evolving threats.