Security operations · 2 MIN READ · AARON WALTON · FEB 20, 2024 · TAGS: Alert / Cloud security / MDR / Vulnerability
ConnectWise has disclosed a vulnerability that can give attackers access to self-hosted and on-premise ScreenConnect instances. Here’s what you need to know.
[This post was updated on February 21, 2024, to reflect the most current, available information.]
What happened?
Unauthenticated attackers can log into self-hosted and on-premise ConnectWise ScreenConnect instances to gain remote access to connected computers, affecting ScreenConnect versions 23.9.7 and prior. ConnectWise recommends that customers patch their ScreenConnect their servers to version 23.9.8 immediately to apply a patch for these vulnerabilities:
- CWE-288 – authentication bypass using an alternate path or channel
- CWE-22 – improper limitation of a pathname to a restricted directory (“path traversal”)
Why does it matter?
ConnectWise disclosed that ScreenConnect servers have an authentication bypass that allows unauthenticated attackers to gain access to connected computers on self-hosted and on-premise instances. ConnectWise rated these vulnerabilities with a CVSS rating of 10, Critical.
Bypassing the login will give attackers system-level access, which is bad news. ConnectWise patched its own servers so customers using cloud instances are safe and don’t need to take action. However, customers who are hosting their own ConnectWise servers need to patch them to version 23.9.8 immediately.
This vulnerability and its associated fix are very simple. But we anticipate that once the exact details are public, attackers will start using it to gain remote access to systems for companies that haven’t updated their systems and applied the patch.
What should you do right now?
These vulnerabilities are being exploited in the wild; we recommend you take action now.
If you use self-hosted or on-premise ConnectWise ScreenConnect servers, immediately update them to ScreenConnect server version 23.9.8.
ConnectWise made the patch available to download here, and you can refer to these instructions for help. You can also contact us with any questions.
What can you do longer-term?
Weigh the pros and cons of self-hosting software tools like these versus using cloud instances. Each organization has their reasons for choosing one over the other, but cloud hosting does come with advantages, like the fact that providers can quickly implement fixes on your behalf when they identify an issue. Self-hosting may give you more control, but also gives you greater responsibility to react when vendors identify severe issues.
Vulnerabilities like these are also a good reminder to keep an eye on the resources your technology vendors provide to stay up-to-date on the latest developments and changes for the software you rely on most. News of this issue originally came through the vulnerability disclosure channel via the ConnectWise Trust Center.
What next?
We’re monitoring this situation closely as it unfolds. We’ll update this post with big developments, but keep an eye on ConnectWise’s security bulletins page or our socials (@ExpelSecurity) for any important additional recommendations as they emerge.
