CISA adds ConnectWise ScreenConnect vulnerability to the KEV database

This content has been archived. But, the content is true and relevant to the underlying technology products or infrastructure services.

The CISA added ConnectWise ScreenConnect vulnerability to the Known Exploited Vulnerabilities database on 22 February 2024. The vulnerability ought to be patched before 29 February 2024.

  • The ConnectWise ScreenConnect vulnerability is an Authentication Bypass Vulnerability.
  • Initially, ConnectWise reported two security vulnerabilities CWE-288 and CWE-22 on 13 February 2024. The CWE-2888 is a threat that seems to be actively exploited by various threat actors.
  • CWE-288 is tracked as CVE-2024-1709 and CWE-22 is tracked as CVE-2024-1708.
  • CVE-2024-1709 (CWE-288) is a CRITICAL security vulnerability with a CVSS score of 10. It is an Authentication Bypass Vulnerability.
  • The vulnerability allows the ability to execute remote code or directly impact confidential data or critical systems.
  • The ConnectWise vulnerability affects its ScreenConnect remote desktop and access software.
  • The affected versions include ScreenConnect 23.9.7 and prior versions.
  • Remediation involves upgrading Connectwise ScreenConnect to version 23.9.8.
  • This vulnerability only affects the on-premise deployments. The cloud deployments of ConnectWise ScreenConnect have already been patched as part of the managed offering of ConnectWise.
  • The vulnerability is already being exploited by threat actors, including ransomware threat actors.

CWE-288 or CVE-2024-1709 enables attackers to bypass authentication mechanisms using an alternate path or channel. This could cause unauthorized access to the target systems.

The second vulnerability is classified as CWE-22. It involves improper limitation of a pathname to a restricted directory, known as ‘path traversal,’ with a CVSS base score of 8.4. This issue could allow attackers to access files or directories outside the specified location, compromising the system’s security.

During its investigation into the reported breach, ScreenConnect came across the following Indicators of Compromise (IOC):

  • 155.133.5.15
  • 155.133.5.14
  • 118.69.65.60

Shadow Server, a threat intelligence firm, has reported over 600 IP addresses being used for active exploitation of the ConnectWise vulnerabilities.

Shadow Server reported over 8200 instances of the vulnerable versions of ConnectWise ScreenConnect. The attack vectors spotted by it include 643 IP addresses.

    In a similar report, Shodan has reported over 7800 vulnerable instances of ScreenConnect software

    ConnectWise ScreenConnect is a Remote desktop and mobile support solution. It is used by managed service providers (MSPs) to offer support and manage client infrastructure. ScreenConnect is used for remote connections and offers a quick and seamless method to manage client infrastructure remotely.

    The severity of the vulnerability makes it imperative to apply the latest security update and upgrade ScreenConnect to version 23.9.8. The vulnerability is, especially, CRITICAL for partners and MSPs that manage on-premise servers or deployments.

    The CISA expects vulnerable instances of ScreenConnect to be upgraded to the latest version of ConnectWise ScreenConnect 23.9.8. For this, a resolution due date of 29 February 2024 has been set.

    Rajesh Dhawan

    Rajesh Dhawan is a technology professional who loves to write about Cyber-security events and stories, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.