Security Announcement Critical Vulnerabilities Discovered in ConnectWise ScreenConnect
Back to all posts
Critical Vulnerabilities Discovered in ConnectWise ScreenConnect

Understanding the Vulnerabilities

CVE-2024-1708

This is a path-traversal vulnerability with a CVSS score of 8.4 affecting ScreenConnect 23.9.7 and earlier, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.

CVE-2024-1709

Also affecting ScreenConnect 23.9.7 and earlier, this vulnerability is an authentication bypass using an alternate path or channel, rated CVSS 10.0. An attacker exploiting this flaw could obtain elevated permissions up to mimicking the role of a system admin and completely take over the system, including obtaining direct access to confidential information, creating admin accounts, and deleting all other users on publicly exposed instances.

Exploitation Status

The initial advisory released by ConnectWise on February 13, 2024 did not provide evidence that the vulnerabilities had been exploited in the wild. However, in recent updates ConnectWise has acknowledged the existence of compromised accounts, indicating active exploitation of the flaws. 

Moreover, reports from several researchers and security firms confirm that the authentication bypass vulnerability (CVE-2024-1709) requires minimal technical knowledge to be exploited, and proof-of-concept exploits have recently been released on the web. Due to its exploitation status, this vulnerability was recently added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) list.

View CISA's Known Exploited Vulnerabilities

Extent of the Attacks

The exact scale of the exploitation campaign is currently unknown, but according to cyber security firm Huntress, over 8,800 servers are running a vulnerable version of ScreenConnect and there are signs that the flaw has come under widespread exploitation to deliver ransomware, remote access trojans, stealer malware, and cryptocurrency miners.

Remediation

We recommend immediately updating on-premise installations of ConnectWise ScreenConnect to version 23.9.8 or higher to remediate both vulnerabilities.

ConnectWise reports that Cloud partners are protected against both vulnerabilities, meaning no further action is required by these partners. Moreover, ConnectWise has decided to extend support to partners no longer under maintenance and remediate CVE-2024-1709 by making them eligible to install version 22.4 for free.

The company’s latest advisory update states that it has made available “an additional mitigation step for unpatched, on-premise users that suspends an instance if it is not on version 23.9.8 or later.” If the application is vulnerable, “an alert will be sent with instructions on how to perform the necessary actions to release the server.”

Read the ConnectWise Advisory Update

Holm Security Vulnerability Management Platform

To allow our customers to verify if the version installed on the target systems is vulnerable to these flaws, Holm Security has released two Vulnerability Tests:

  • A version check test: HID-2-1-5356966 ConnectWise ScreenConnect < 23.9.8 Multiple Vulnerabilities

  • A remote test that actively checks the exploitability of the authentication bypass: HID-2-1-5356185 ScreenConnect Authentication Bypass - CVE-2024-1709

Read More in Our Knowledge Base