Less than 24 hours after shipping emergency patches for critical security defects in its ScreenConnect remote desktop access product, ConnectWise says hackers are already launching exploits to take over enterprise accounts.
“We received updates of compromised accounts that our incident response team have been able to investigate and confirm,” ConnectWise said in an updated advisory issued Wednesday.
The acknowledgement of in-the-wild exploitation comes as several security companies published proof-of-concept code to amplify the urgency for businesses to upgrade on-prem installations to ConnectWise ScreenConnect 23.9.8.
“The ‘exploit’ is trivial and embarrassingly easy,” according to technical documentation released by Huntress, a company in the managed security services business.
“Once you have administrative access to a compromised instance, it is trivial to create and upload a malicious ScreenConnect extension to gain Remote Code Execution (RCE). This is not a vulnerability, but a feature of ScreenConnect, which allows an administrator to create extensions that execute .Net code as SYSTEM on the ScreenConnect server,” Huntress warned.
Vulnerability management firm Rapid7 followed up with the addition of an unauthenticated RCE exploit module in the Metasploit pen-test tool and confirmed that remote code execution is achieved by leveraging the vulnerability to create a new admin account, and then using these creds to upload an extension (i.e. a plugin) that hosts a payload.
ConnectWise, a company that has seen its software featured in CISA’s Known Exploited Vulnerabilities (KEV) catalog, also published three IP addresses used by malicious actors to compromise ScreenConnect accounts and urged customers to hunt for signs of infections.
The company first flagged with an urgent advisory on Tuesday that cryptically described an “authentication bypass using an alternate path or channel” that carries the maximum CVSS severity score of 10/10.
A second bug, documented as an improper limitation of a pathname to a restricted directory (“path traversal”) was also fixed and tagged with a CVSS severity score of 8.4/10.
Because of the severity and risk of exploitation, ConnectWise is urging enterprise admins to install the patches “as emergency changes” within days.
ConnectWise documented the issue in an advisory marked as “critical” because it addresses vulnerabilities “that could allow the ability to execute remote code or directly impact confidential data or critical systems.”
Affected versions include ScreenConnect 23.9.7 and prior versions and the company said it is most relevant on on-prem or self-hosted customers.
Related: ConnectWise Rushes to Patch Critical ScreenConnect Vulnerabilities
Related: US Gov IssuesGuidance on Securing Remote Access Software
Related: Critical ConnectWise Vulnerability in Internet-Exposed Servers
Related: R1Soft Server Backup Manager Bug Exploited to Deploy Backdoor