In a critical security advisory, ConnectWise has alerted users of its ScreenConnect remote access software to patch their systems immediately due to two severe vulnerabilities discovered in versions 23.9.7 and earlier.
These vulnerabilities, identified as CWE-288 and CWE–22, allow for authentication bypass and path traversal, posing a significant risk to the integrity and security of affected systems.
More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide. Join the community to conduct in-depth investigations into the top threats and collect detailed reports on their behavior..
ScreenConnect Security Flaw
The first vulnerability, CWE-288, enables attackers to bypass authentication mechanisms using an alternate path or channel, receiving the highest severity score of 10.
This flaw could allow unauthorized access to the system, potentially leading to further exploitation.
The second vulnerability, CWE-22, involves improper limitation of a pathname to a restricted directory, known as ‘path traversal,’ with a base score of 8.4.
This issue could allow attackers to access files or directories outside the specified location, compromising the system’s security.
ScreenConnect is widely used for remote access by organizations globally, making these vulnerabilities particularly concerning due to the potential for attackers to exploit vulnerable instances and push ransomware or other malicious payloads to downstream clients.
This risk is especially acute for managed service providers (MSPs) or managed security services providers (MSSPs) who use ScreenConnect to manage client environments remotely.
Shodan has reported that over 7,900 servers that are connected are running versions of ScreenConnect that are vulnerable.
Mitigation and Response
ConnectWise has taken immediate action to address these vulnerabilities by releasing version 23.9.8 of ScreenConnect, which patches these critical security flaws.
Cloud users of ScreenConnect do not need to take any action, as cloud instances have been automatically updated to the latest secure version.
However, on-premise users are strongly urged to update their servers to version 23.9.8 immediately to mitigate the risks posed by these vulnerabilities.
Security researchers at Huntress and Rapid7 have echoed the urgency of applying these patches, with Huntress successfully creating and validating a proof-of-concept exploit for the vulnerabilities.
Over 8,800 servers were reported as running a vulnerable version, highlighting the widespread potential impact.
Indicators of compromise
IOCs:
- 155.133.5.15
- 155.133.5.14
- 118.69.65.60
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.