Security experts have raised concerns about the exploitation of two vulnerabilities in ConnectWise ScreenConnect by threat actors, prompting urgent action from the vendor and heightened awareness among users.
ConnectWise issued an advisory highlighting two critical vulnerabilities, CVE-2024-1709 and CVE-2024-1708, affecting its ScreenConnect remote access software. The severity of these vulnerabilities, with a CVSS score of 10 for CVE-2024- 1709 and 8.4 for CVE-2024-1708, prompted immediate action. The vendor acknowledged that these vulnerabilities were reported on February 13 through its bug disclosure program.
In response to confirmed instances of exploitation, ConnectWise updated its advisory to reflect the seriousness of the situation. The company noted that compromised accounts were identified and investigated by their incident response team. Additionally, ConnectWise listed IP addresses used by threat actors as indicators of compromise in the updated advisory.
Multiple cybersecurity researchers and vendors, including Rapid7 and Huntress, confirmed the exploitation of these vulnerabilities. Cloud instances of ScreenConnect have been patched, and on-premises customers are urged to update their software to version 23.9.8 or later immediately.
A blog post by Huntress detailed the simplicity of the exploit, describing it as “trivial and embarrassingly easy.” The post included a proof-of-concept exploit developed by Huntress researchers, showcasing both the authentication bypass aspect and remote code execution potential.
John Hammond, principal security researcher at Huntress, explained the ease of exploitation, attributing it to a minimal change in the web address. This modification grants attackers the ability to create a new administrator account with unprecedented access.
ConnectWise’s update, requiring immediate patching for on-premises instances, was praised by Hammond for its effectiveness in mitigating the risks associated with these vulnerabilities. He noted that this decision, although challenging for the vendor, was the right move to protect users and prevent further exploitation.
In response to the urgency of the situation, ConnectWise removed license restrictions for partners not under maintenance to upgrade to the latest version of ScreenConnect. This proactive measure aims to ensure that all users have access to the necessary patches to secure their systems.
Unfortunately, the exploitation of these vulnerabilities has already been linked to ransomware activities. Research from Sophos X-Ops revealed connections between exploitation of the vulnerabilities and attacks by the LockBit ransomware gang. Despite recent law enforcement efforts to disrupt LockBit operations, some affiliates appear to still be active in leveraging these vulnerabilities for criminal activities.
As the security community continues to monitor the situation closely, it is imperative for all ConnectWise ScreenConnect users to prioritize updating their software to the latest version and implementing additional security measures to protect their systems from potential attacks.
While ConnectWise did not respond to requests for comment, the importance of swift action and collaboration between vendors, researchers, and users cannot be understated in addressing and mitigating the impact of these vulnerabilities on the cybersecurity landscape.