A critical vulnerability patched this week in the ConnectWise ScreenConnect remote desktop software is already being exploited in the wild. Researchers warn that it’s trivial to exploit the flaw, which allows attackers to bypass authentication and gain remote code execution on systems, and proof-of-concept exploits already exist.
ScreenConnect is a popular remote support tool with both on-premises and in-cloud deployments. According to ConnectWise’s advisory released Monday, the cloud deployments hosted at screenconnect.com or hostedrmm.com have automatically been patched, but customers need to urgently upgrade their on-premises deployments to version 23.9.8.
Data from internet scanning service Censys showed over 8,000 vulnerable ScreenConnect servers when the vulnerability was disclosed. However, the impact of a successful exploit could extend past the server itself since a single ScreenConnect server could provide attackers with access to hundreds or thousands of endpoints — even across multiple organizations if the server is run by a managed service provider (MSP).
Attackers have exploited vulnerabilities in remote monitoring and management (RMM) tools used by MSPs in the past to gain access to their customers’ networks, and they also abused such tools for command-and-control in other attacks. Last month, the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory about a malicious campaign that involved phishing emails that led to the download of legitimate RMM software, such as ScreenConnect and AnyDesk, that attackers then used to steal money from victims’ bank accounts in a refund scam.
In its original advisory, ConnectWise said there was no evidence of the two vulnerabilities it disclosed being exploited in the wild, but one day later it updated its advisory to warn customers that: “We received updates of compromised accounts that our incident response team have been able to investigate and confirm.”
Authentication bypass in the ScreenConnect setup wizard
The ScreenConnect patch addresses two vulnerabilities that don’t yet have CVE identifiers: An authentication bypass that’s rated with the maximum score of 10 (Critical) on the CVSS severity scale and an improper limitation of a pathname to a restricted directory, also known as a path traversal flaw, that’s rated 8.4 (High).