ConnectWise has revealed that the two ScreenConnect vulnerabilities, which they have been urging customers to patch, have now been assigned CVE numbers: CVE-2024-1709 for the authentication bypass issue and CVE-2024-1708 for the path traversal flaw. In response to these vulnerabilities, ConnectWise has released a new version of ScreenConnect (v23.9.10.8817) that includes fixes for the two flaws as well as other non-security related fixes. Importantly, customers who are no longer under maintenance can now upgrade to this version to protect themselves against potential exploitation.
The vulnerabilities were first brought to light by ConnectWise on February 19, when they advised self-hosted or on-premise customers to update their servers to version 23.9.8 as soon as possible. Following this, there were confirmed exploitation attempts from various IP addresses, prompting further investigation from security researchers.
Huntress researchers conducted a technical analysis of both CVE-2024-1709 and CVE-2024-1708 and even created a proof-of-concept exploit for CVE-2024-1709. WatchTowr Labs also published their own proof-of-concept exploit for CVE-2024-1709, demonstrating how easily an attacker could add a new administrative user in ConnectWise ScreenConnect as a first step towards remote code execution.
The Shadowserver Foundation reported that there are around 3800 vulnerable ConnectWise ScreenConnect instances, with their sensors picking up initial exploit requests in their honeypots. They advised organizations to check for signs of compromise, such as new users being added, and to patch their systems immediately.
ConnectWise has emphasized the importance of all ScreenConnect customers upgrading to the fixed version (v23.9.10.8817) without delay. Palo Alto Networks’ Unit 42 has warned that the severity and scope of these vulnerabilities make them likely targets for cybercriminals and nation-state actors, underscoring the urgency of patching.
For customers who suspect they may have been compromised via CVE-2024-1709, ConnectWise has provided guidance on upgrading their installation and checking for any malicious activities using the Report Manager extension.
Recent reports from Sophos’ X-Ops task force have indicated active exploitation of the ScreenConnect vulnerabilities in the wild, leading to the distribution of various threats including the LockBit ransomware, AsyncRAT, infostealers, and the SimpleHelp Remote Access Client. This serves as a stark reminder of the importance of timely patching and vigilance in the face of evolving cyber threats.
In conclusion, the proactive response from ConnectWise in identifying and addressing these vulnerabilities underscores the critical role that rapid patching and security updates play in safeguarding organizations from potential exploitation and cyber attacks. By staying informed and taking prompt action to secure their systems, businesses can mitigate risks and protect their sensitive data from malicious actors.