Frequently asked questions about two vulnerabilities affecting ConnectWise ScreenConnect
Update February 20: The blog has been updated with confirmation from ConnectWise of in-the-wild exploitation.
Background
The Tenable Security Response Team has put together this blog to answer Frequently Asked Questions (FAQ) regarding two vulnerabilities impacting ScreenConnect, a Remote Monitoring and Management (RMM) solution from ConnectWise.
FAQ
What are the ScreenConnect vulnerabilities and when were they disclosed?
On February 19, ConnectWise released a security advisory for two vulnerabilities affecting their RMM product, ScreenConnect. At the time the advisory was released, no CVE identifiers had been released for the vulnerabilities.
| CVE | Description | CVSSv3 |
|---|---|---|
| N/A | Authentication bypass that could allow an attacker to execute remote code or directly impact confidential data or critical systems. | 10 |
| N/A | A path traversal vulnerability that could allow an attacker to access confidential data | 8.4 |
Which versions of ConnectWise are affected?
ScreenConnect versions 23.9.7 and prior are affected by these vulnerabilities. These vulnerabilities only impact self-hosted or on-premise installations. Cloud customers who have ScreenConnect servers hosted on the “screenconnect.com” or “hostedrmm.com” are not impacted as updates have been made to the cloud service to address these vulnerabilities.
The advisory also notes that updated versions of ScreenConnect 22.4 through 23.9.7 will be released, however they still strongly recommend upgrading to ScreenConnect version 23.9.8.
Have any of these vulnerabilities been exploited?
On February 20, ConnectWise updated its security advisory to share indicators of compromise (IOCs) relating to malicious activity. In this update, ConnectWise notes that they have "received updates of compromised accounts" that were investigated and confirmed by its incident response team, indicating in-the-wild exploitation of these flaws. The update includes IOCs of IP addresses reportedly associated with threat actor activity.
Has any Proof-of-Concept (PoC) code been released?
As of February 20, a blog by Huntress indicates that their researchers have reproduced these vulnerabilities and developed a working PoC, however they have chosen not to release the exploit code. Additionally, researchers at Horizon3 Attack Team posted to X (formerly known as Twitter) about their own PoC for the authentication bypass vulnerability, adding that it is “extremely trivial to reverse and exploit” that they plan to publish it along with a blog post soon.
The recent #ConnectWise#ScreenConnect authentication bypass vulnerability is extremely trivial to reverse and exploit. Blog and exploit POC will drop soon. pic.twitter.com/mEIaRetKxQ
— Horizon3 Attack Team (@Horizon3Attack) February 20, 2024
Are patches or mitigations available?
As of February 19 when the security advisory was released, ScreenConnect version 23.9.8 has been released to address these vulnerabilities. No mitigation steps were provided by ConnectWise.
Has Tenable released any product coverage for these vulnerabilities?
As of February 20, Tenable Research is investigating product coverage for these issues.
Get more information
- ConnectWise ScreenConnect 23.9.8 Security Advisory
- Huntress Blog Post: Vulnerability Reproduced: Immediately Patch ScreenConnect 23.9.8
Change Log
Update February 20: The blog has been updated with confirmation from ConnectWise of in-the-wild exploitation.
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
