The CISA added ConnectWise ScreenConnect vulnerability to the Known Exploited Vulnerabilities database on 22 February 2024. The vulnerability ought to be patched before 29 February 2024.
Salient points
- The ConnectWise ScreenConnect vulnerability is an Authentication Bypass Vulnerability.
- Initially, ConnectWise reported two security vulnerabilities CWE-288 and CWE-22 on 13 February 2024. The CWE-2888 is a threat that seems to be actively exploited by various threat actors.
- CWE-288 is tracked as CVE-2024-1709 and CWE-22 is tracked as CVE-2024-1708.
- CVE-2024-1709 (CWE-288) is a CRITICAL security vulnerability with a CVSS score of 10. It is an Authentication Bypass Vulnerability.
- The vulnerability allows the ability to execute remote code or directly impact confidential data or critical systems.
- The ConnectWise vulnerability affects its ScreenConnect remote desktop and access software.
- The affected versions include ScreenConnect 23.9.7 and prior versions.
- Remediation involves upgrading Connectwise ScreenConnect to version 23.9.8.
- This vulnerability only affects the on-premise deployments. The cloud deployments of ConnectWise ScreenConnect have already been patched as part of the managed offering of ConnectWise.
- The vulnerability is already being exploited by threat actors, including ransomware threat actors.
About CWE-288
CWE-288 or CVE-2024-1709 enables attackers to bypass authentication mechanisms using an alternate path or channel. This could cause unauthorized access to the target systems.
The second vulnerability is classified as CWE-22. It involves improper limitation of a pathname to a restricted directory, known as ‘path traversal,’ with a CVSS base score of 8.4. This issue could allow attackers to access files or directories outside the specified location, compromising the system’s security.
During its investigation into the reported breach, ScreenConnect came across the following Indicators of Compromise (IOC):
- 155.133.5.15
- 155.133.5.14
- 118.69.65.60
Shadow Server, a threat intelligence firm, has reported over 600 IP addresses being used for active exploitation of the ConnectWise vulnerabilities.
Affected servers
Shadow Server reported over 8200 instances of the vulnerable versions of ConnectWise ScreenConnect. The attack vectors spotted by it include 643 IP addresses.
In a similar report, Shodan has reported over 7800 vulnerable instances of ScreenConnect software
About ScreenConnect
ConnectWise ScreenConnect is a Remote desktop and mobile support solution. It is used by managed service providers (MSPs) to offer support and manage client infrastructure. ScreenConnect is used for remote connections and offers a quick and seamless method to manage client infrastructure remotely.
The severity of the vulnerability makes it imperative to apply the latest security update and upgrade ScreenConnect to version 23.9.8. The vulnerability is, especially, CRITICAL for partners and MSPs that manage on-premise servers or deployments.
The CISA expects vulnerable instances of ScreenConnect to be upgraded to the latest version of ConnectWise ScreenConnect 23.9.8. For this, a resolution due date of 29 February 2024 has been set.
More Security Stories
- Avast accused of Selling Customer Browsing Data to Advertisers
- CISA adds Microsoft Exchange vulnerability to the KEV database
- CISA adds Cisco ASA vulnerability to KEV Catalog
- Microsoft reports 73 security vulnerabilities in Patch Tuesday – Feb 2024
- Adobe reports CRITICAL security vulnerabilities in multiple products
- Data breach at France’s data protection agency CNIL
- Bank of America Data Breach at Infosys McCamish Systems
- CISA adds Roundcube Webmail XSS Vulnerability to KEV catalog
- Zero-day vulnerability in FortiOS – CVE-2024-21762
- Critical Security Vulnerabilities in Cisco Expressway Series
- 2 Critical Vulnerabilities reported by Fortinet
- Verizon Data Breach – Feb 2024
- AnyDesk Cyberattack incident – February 2024
- Cloudflare Data Breach – November 2023
- Ivanti VPN Vulnerabilities – Jan 2024
- Mercedes Source Code Leak – Jan 2024
- Schneider Electric Ransomware attack – Jan 2024
- Android Security Update – Feb 2024
Rajesh Dhawan is a technology professional who loves to write about Cyber-security events and stories, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.