ConnectWise ScreenConnect Exploitation

THE THREAT

On February 20th, ConnectWise confirmed that two recently disclosed ScreenConnect vulnerabilities are now under active exploitation. The vulnerabilities are currently tracked as CVE-2024-1709 (CVSS: 10) Authentication bypass, and CVE-2024-1708 (CVSS: 8.4) Path Traversal; both vulnerabilities impact ConnectWise ScreenConnect versions 23.9.7 and prior. Exploitation of these vulnerabilities would allow a remote and unauthenticated threat actor to execute code and directly impact confidential data and critical systems. 

Proof-of-Concept (PoC) exploit code for the vulnerabilities was released on February 20th, lowering the barrier for exploitation. The eSentire Threat Intelligence team assesses that it is almost certain that widespread exploitation will begin this week. Due to the ongoing exploitation and expected increase in attacks, it is of critical importance that all impacted organizations apply the available updates as soon as possible.

What we’re doing about it

• eSentire MDR for Network detections have been created to identify exploitation attempts
• eSentire has blocked known malicious IP addresses associated with real-world attacks via the eSentire Global Block List
• The eSentire Threat Intelligence team is performing threat hunts based on known Indicators of Compromise
• The eSentire Threat Response Unit is reviewing available information for additional detection opportunities
• eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable ScreenConnect versions 

What you should do about it

• After performing a business impact review, apply the relevant security patches
  • Updated versions of ScreenConnect 22.4 through 23.9.7 will be released in the near future, but ConnectWise strongly recommends upgrading to ScreenConnect version 23.9.8
  • Alternative mitigations are not currently available  

Additional information 

ConnectWise has confirmed that attacks exploiting CVE-2024-1709 (CWE-288) and CVE-2024-1708 (CWE-22) are ongoing, but details on observed attacks have not been disclosed at this time. Exploitation is considered to be relatively simple, increasing the likelihood of widespread exploitation by a variety of threat actor groups. Additionally, over 8,000 vulnerable and Internet-facing servers have been identified. As these vulnerabilities enable initial access and code execution, it is probable that initial access vendors and ransomware actors will be especially interested in these vulnerabilities.

It should be noted that response actions are only required for on-premise/self-hosted ScreenConnect servers. ScreenConnect servers hosted in “screenconnect.com” cloud or “hostedrmm.com” have already been updated and do not require additional remediation actions.

References:

[1] https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
[2] https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass