Critical vulnerabilities in ConnectWise ScreenConnect

Technical analysis 

CVE-2024-1709 (authentication bypass): This vulnerability stems from an undisclosed flaw in ScreenConnect's authentication mechanism, allowing attackers to bypass authentication altogether. Exploiting this vulnerability requires minimal technical expertise and can be achieved through specifically crafted requests. 

CVE-2024-1708 (path traversal): This vulnerability allows attackers to access files and directories outside their intended scope. When combined with CVE-2024-1709, attackers can leverage this vulnerability to gain unauthorised access to sensitive information or execute arbitrary code on the affected system. 

Impact analysis 

These vulnerabilities pose a significant threat to organisations using ScreenConnect, with potential consequences including: 

• Data breaches: Sensitive data, such as user credentials, financial information, and intellectual property, can be compromised and exfiltrated. 
• System outages: Attackers can gain control of systems, leading to disruptions, data manipulation and potential data encryption. 
• Financial losses: Data breaches, system outages, and ransomware attacks can incur significant financial losses.  
• Reputational damage: Organisations may face reputational damage due to data breaches and security incidents. 

Mitigation strategies 

Patch immediately: Update ScreenConnect to the latest version (23.9.8) as soon as possible. Patches are available for on-premise and cloud deployments. ScreenConnect servers hosted in screenconnect[.]com cloud or hostedrmm[.]com have been updated to remediate the issue, and no end user action is required. 

Enable multi-factor authentication (MFA): Implement MFA for all ScreenConnect users to add an extra layer of security. 

Review user permissions: Grant users only the minimum level of access required for their roles. 

Monitor activity: Monitor for suspicious activity and unauthorised login attempts. 

Segment networks: Segment networks to limit the potential impact of an attack. 

Deploy security solutions: Implement endpoint security solutions and intrusion detection/prevention systems (IDS/IPS) to detect and prevent malicious activity. 

Proof of concept 

A proof of concept (PoC) has been published on GitHub by Watchtowr. This PoC exploits an authentication bypass to add a new administrator within ConnectWise ScreenConnect. 

Conclusion 

The recent ScreenConnect vulnerabilities pose a serious threat to organisations. There are published PoCs and guides that will likely enable malicious actors to begin targeting these vulnerabilities.  

Prompt patching and implementing robust security measures will be crucial to mitigating the risks. Continuous monitoring and vigilance are essential to stay ahead of evolving threats and protect valuable data and systems.