Belgium
Denmark
Finland
Germany
Malaysia
Netherlands
Norway
Poland
Sweden
UK
Understanding the Vulnerabilities
CVE-2024-1708
This is a path-traversal vulnerability with a CVSS score of 8.4 affecting ScreenConnect 23.9.7 and earlier, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.
CVE-2024-1709
Also affecting ScreenConnect 23.9.7 and earlier, this vulnerability is an authentication bypass using an alternate path or channel, rated CVSS 10.0. An attacker exploiting this flaw could obtain elevated permissions up to mimicking the role of a system admin and completely take over the system, including obtaining direct access to confidential information, creating admin accounts, and deleting all other users on publicly exposed instances.
Exploitation Status
The initial advisory released by ConnectWise on February 13, 2024 did not provide evidence that the vulnerabilities had been exploited in the wild. However, in recent updates ConnectWise has acknowledged the existence of compromised accounts, indicating active exploitation of the flaws.
Moreover, reports from several researchers and security firms confirm that the authentication bypass vulnerability (CVE-2024-1709) requires minimal technical knowledge to be exploited, and proof-of-concept exploits have recently been released on the web. Due to its exploitation status, this vulnerability was recently added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) list.
View CISA's Known Exploited Vulnerabilities
Extent of the Attacks
The exact scale of the exploitation campaign is currently unknown, but according to cyber security firm Huntress, over 8,800 servers are running a vulnerable version of ScreenConnect and there are signs that the flaw has come under widespread exploitation to deliver ransomware, remote access trojans, stealer malware, and cryptocurrency miners.
Remediation
We recommend immediately updating on-premise installations of ConnectWise ScreenConnect to version 23.9.8 or higher to remediate both vulnerabilities.
ConnectWise reports that Cloud partners are protected against both vulnerabilities, meaning no further action is required by these partners. Moreover, ConnectWise has decided to extend support to partners no longer under maintenance and remediate CVE-2024-1709 by making them eligible to install version 22.4 for free.
The company’s latest advisory update states that it has made available “an additional mitigation step for unpatched, on-premise users that suspends an instance if it is not on version 23.9.8 or later.” If the application is vulnerable, “an alert will be sent with instructions on how to perform the necessary actions to release the server.”
Read the ConnectWise Advisory Update
Holm Security Vulnerability Management Platform
To allow our customers to verify if the version installed on the target systems is vulnerable to these flaws, Holm Security has released two Vulnerability Tests:- A version check test: HID-2-1-5356966 ConnectWise ScreenConnect < 23.9.8 Multiple Vulnerabilities
- A remote test that actively checks the exploitability of the authentication bypass: HID-2-1-5356185 ScreenConnect Authentication Bypass - CVE-2024-1709
Nicola Albanese
Nicola Albanese is a Security Developer in our Security Research Team. He has written and translated news, reviews, and documentation about electronics, networks, and security devices for nearly 15 years. He also worked as a 2nd-level technician for AT&T backbone EMEA networks before answering the call from information and data security in 2018.
