Critical vulnerabilities in ConnectWise ScreenConnect

Home / Threat Intelligence bulletins / Critical vulnerabilities in ConnectWise ScreenConnect

Target Industry

Managed Service Providers (MSPs) and organisations using ConnectWise ScreenConnect for remote access.

Overview

On 19th February 2024, ConnectWise disclosed two critical vulnerabilities within ScreenConnect versions 23.9.7 and prior. Tracked as CVE-2024-1708 (CVSSv3 Base Score 8.4), and CVE-2024-1709 (CVSSv3 Base Score 10.0) respectively, these vulnerabilities are being actively exploited by notable threat actors, including BlackBasta ransomware operators and Bl00dy ransomware gangs.

ConnectWise has released fixes for these vulnerabilities and operators of the software are strongly advised to update as soon as possible.

Customers of the ScreenConnect cloud solution are no longer vulnerable as ConnectWise has updated its servers.

Impact

Exploitation of CVE-2024-1708: Path Traversal Vulnerability allows attackers to gain unauthorised access to restricted data, potentially leading to information disclosure and system compromise.

Exploitation of CVE-2024-1709: Authentication Bypass Using an Alternate Path or Channel enables attackers to gain direct access to confidential information or critical systems.

Vulnerability Detection

Organisations that use ConnectWise ScreenConnect versions 23.9.7 and prior are vulnerable to exploitation.

Containment, Mitigations & Remediations

Immediate update of ConnectWise ScreenConnect to version 23.9.8 is recommended to remediate the vulnerability. For self-hosted and on-premises solutions, manual updating is necessary, while cloud-hosted solutions on screenconnect.com and hostedrmm.com have been automatically updated. In cases where immediate updating is not feasible, it is advised to block ScreenConnect services at the network level.

Threat Landscape

This incident highlights the ongoing risks associated with software vulnerabilities, particularly for widely used remote access tools. The ease of exploitation and the availability of proof-of-concept code increase the likelihood of widespread attacks, underscoring the importance of timely vulnerability management and incident response capabilities.

Threat Group

BlackBasta ransomware operators and the Bl00dy ransomware gang are actively exploiting these vulnerabilities to deploy ransomware.

Additional Reading

CISA Advisory on CVE-2024-1709

Detection Guidance for ConnectWise CVE-2024-1709