What We Do
How We Do
Resources
Company
Partners
Get Started
Security advisories

ConnectWise ScreenConnect Exploitation

February 21, 2024 | 1 MIN READ

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

On February 20th, ConnectWise confirmed that two recently disclosed ScreenConnect vulnerabilities are now under active exploitation. The vulnerabilities are currently tracked as CVE-2024-1709 (CVSS: 10) Authentication bypass, and CVE-2024-1708 (CVSS: 8.4) Path Traversal; both vulnerabilities impact ConnectWise ScreenConnect versions 23.9.7 and prior. Exploitation of these vulnerabilities would allow a remote and unauthenticated threat actor to execute code and directly impact confidential data and critical systems. 

Proof-of-Concept (PoC) exploit code for the vulnerabilities was released on February 20th, lowering the barrier for exploitation. The eSentire Threat Intelligence team assesses that it is almost certain that widespread exploitation will begin this week. Due to the ongoing exploitation and expected increase in attacks, it is of critical importance that all impacted organizations apply the available updates as soon as possible.

What we’re doing about it

What you should do about it

Additional information 

ConnectWise has confirmed that attacks exploiting CVE-2024-1709 (CWE-288) and CVE-2024-1708 (CWE-22) are ongoing, but details on observed attacks have not been disclosed at this time. Exploitation is considered to be relatively simple, increasing the likelihood of widespread exploitation by a variety of threat actor groups. Additionally, over 8,000 vulnerable and Internet-facing servers have been identified. As these vulnerabilities enable initial access and code execution, it is probable that initial access vendors and ransomware actors will be especially interested in these vulnerabilities.

It should be noted that response actions are only required for on-premise/self-hosted ScreenConnect servers. ScreenConnect servers hosted in “screenconnect.com” cloud or “hostedrmm.com” have already been updated and do not require additional remediation actions.

References:

[1] https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
[2] https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass  

View Most Recent Advisories