ConnectWise has disclosed two vulnerabilities, one critical, in its ScreenConnect remote desktop application.
The critical bug, CVE-2024-1709, was described by security company Horizon3 in an X post as “extremely trivial” to exploit.
CVE-2024-1709, which carries a CVSS score of 10.0, is an authentication bypass vulnerability.
Horizon3, which published a technical discussion of the vulnerability here (and has a proof-of-concept here), said it “allows an attacker to create their own administrative user on the ScreenConnect server, giving them full control over the server”.
In its advisory, ConnectWise originally said it had “no evidence” that the vulnerabilities were exploited in the wild.
However, it later updated the advisory to identify two attacker IP addresses in the 155.n.n3.n range and one in the 118.n.n.n range that it said are indicators of compromise.
The second vulnerability, CVE-2024-1708, is a path traversal bug with a CVSS score of 8.8.
It’s a path traversal bug that “may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.”
Horizon3 isn’t the only cyber security company to give its attention to the vulnerabilities.
Managed security company Huntress has an analysis here, with a link to their proof-of-concept (PoC); and Watchtower Labs has its own exploit here.
ScreenConnect previously featured in an attack on Wipro, when it was dropped on victim computers to provide remote access to the attackers.
In January 2023, North America’s Cyber and Infrastructure Security Agency included the software in a general warning against phishing attacks dropping legitimate remote access tools on targets.
The bugs do not affect ScreenConnect hosted in the cloud by ConnectWise.