Understanding the Vulnerabilities
CVE-2024-1708
This is a path-traversal vulnerability with a CVSS score of 8.4 affecting ScreenConnect 23.9.7 and earlier, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.
CVE-2024-1709
Also affecting ScreenConnect 23.9.7 and earlier, this vulnerability is an authentication bypass using an alternate path or channel, rated CVSS 10.0. An attacker exploiting this flaw could obtain elevated permissions up to mimicking the role of a system admin and completely take over the system, including obtaining direct access to confidential information, creating admin accounts, and deleting all other users on publicly exposed instances.
Exploitation Status
The initial advisory released by ConnectWise on February 13, 2024 did not provide evidence that the vulnerabilities had been exploited in the wild. However, in recent updates ConnectWise has acknowledged the existence of compromised accounts, indicating active exploitation of the flaws.
Moreover, reports from several researchers and security firms confirm that the authentication bypass vulnerability (CVE-2024-1709) requires minimal technical knowledge to be exploited, and proof-of-concept exploits have recently been released on the web. Due to its exploitation status, this vulnerability was recently added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) list.
View CISA's Known Exploited Vulnerabilities
Extent of the Attacks
The exact scale of the exploitation campaign is currently unknown, but according to cyber security firm Huntress, over 8,800 servers are running a vulnerable version of ScreenConnect and there are signs that the flaw has come under widespread exploitation to deliver ransomware, remote access trojans, stealer malware, and cryptocurrency miners.
Remediation
We recommend immediately updating on-premise installations of ConnectWise ScreenConnect to version 23.9.8 or higher to remediate both vulnerabilities.
ConnectWise reports that Cloud partners are protected against both vulnerabilities, meaning no further action is required by these partners. Moreover, ConnectWise has decided to extend support to partners no longer under maintenance and remediate CVE-2024-1709 by making them eligible to install version 22.4 for free.
The company’s latest advisory update states that it has made available “an additional mitigation step for unpatched, on-premise users that suspends an instance if it is not on version 23.9.8 or later.” If the application is vulnerable, “an alert will be sent with instructions on how to perform the necessary actions to release the server.”
Read the ConnectWise Advisory Update
Holm Security Vulnerability Management Platform
To allow our customers to verify if the version installed on the target systems is vulnerable to these flaws, Holm Security has released two Vulnerability Tests:
- A version check test: HID-2-1-5356966 ConnectWise ScreenConnect < 23.9.8 Multiple Vulnerabilities
- A remote test that actively checks the exploitability of the authentication bypass: HID-2-1-5356185 ScreenConnect Authentication Bypass - CVE-2024-1709
Read More in Our Knowledge Base
Belgium
Denmark
Finland
Germany
Malaysia
Netherlands
Norway
Poland
Sweden
UK
April 12, 2024 — Hacker attacks & exploits
Zero-Day Vulnerability in Palo Alto Networks PAN-OS Exploited in the Wild
Read more
January 24, 2024 — Hacker attacks & exploits
Critical Security Flaw in GoAnywhere MFT: Users Exposed to Unauthorized Admin Access
Read more
January 23, 2024 — Hacker attacks & exploits
Exploited Vulnerabilities in Ivanti: Connect Secure and Policy Secure Pose Serious Threats
Read more