Severe Connectwise Screenconnect Vulnerabilities
Executive Summary
On February 19th, 2024, ConnectWise published a security bulletin reporting two impactful vulnerabilities in their product ConnectWise. One of these vulnerabilities is particularly severe, with a critical rating of 10.0 on the CVSS scale, indicating the highest level of risk when successfully exploited.
The two vulnerabilities combined, could allow remote unauthenticated attackers to gain access to ConnectWise ScreenConnect servers. Threat actors can then attempt to leverage this access to target other systems reachable via the ScreenConnect Remote Desktop & Support product.
The vulnerabilities have been replicated by third party security researchers who created a working Proof-of-Concept (PoC) exploit and verified the impact of successful attack. These researchers were able to create a a reliable and functional exploit within just 24 hours of ConnectWise’s initial disclosure.
Update 2024-02-21 – Multiple third-party security firms and ConnectWise themselves have reported widespread exploitation attempts for this vulnerability across their client base. This vulnerability should be addressed immediately.
Lodestone strongly recommends that organizations take immediate action to apply the patches highlighted in the “Patches” section of this advisory.
Affected Systems / Products
The following products are reported vulnerable, according to ConnectWise:
- ScreenConnect versions 23.9.7 and prior
Mitigations / Workarounds
No available mitigation or workarounds are currently available; however, ConnectWise has published patches for all impacted versions of the ConnectWise ScreenConnect product.
Lodestone strongly recommends applying available patches immediately.
Patches
These are the patch instructions as given on the ConnectWise site:
Cloud Hosted ScreenConnect Instances
Organizations using ConnectWise-hosted ScreenConnect instances are not required to take any further action. ScreenConnect servers hosted in “screenconnect.com” cloud or “hostedrmm.com” have been updated to remediate the issue.
On-premise Instances
Organizations leveraging on-premise instances of ConnectWise ScreenConnect immediately upgrade their ScreenConnect instances to version 23.9.8 or later in order to address these vulnerabilities.
Recognizing the critical nature of these vulnerabilities, ConnectWise has taken the proactive step of updating previous versions of the ScreenConnect product, specifically from version 22.4 to 23.9.7. Despite these updates, the vendor strongly urges all users to upgrade to ScreenConnect version 23.9.8 at their earliest convenience to ensure the highest level of security and protection against potential exploits.
Additional instructions on applying these security patches are available on ConnectWise’s website below:
Indicators of Compromise
Update 2024-02-21 – ConnectWise has confirmed in-the-wild exploit attempts of these vulnerabilities. They provided the following IP addresses to assist with detection and defence:
- 155[.]133[.]5[.]15
- 155[.]133[.]5[.]14
- 118[.]69[.]65[.]60
How Beazley Security is Responding
Lodestone has actively identified any instances of ConnectWise ScreenConnect that may be vulnerable within the organizations monitored by Lodestone’s Attack Surface Management (ASM) product, Karma.
Sources
Aware of an incident impacting your industry? Let us know: