Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

ConnectWise Rushes to Patch Critical Vulns in Remote Access Tool

ConnectWise ships patches for extremely critical security defects in its ScreenConnect remote desktop access product and urges emergency patching.

Enterprise IT software giant ConnectWise has released urgent patches for two critical security defects in its ScreenConnect remote desktop access product, warning there is high risk of in-the-wild exploitation.

The most serious of the two bugs is described as an “authentication bypass using an alternate path or channel” and carries the maximum CVSS severity score of 10/10.

A second bug, documented as an improper limitation of a pathname to a restricted directory (“path traversal”) was also fixed and tagged with a CVSS severity score of 8.4/10.

The company says the vulnerabilities were reported a week ago through its public disclosure channel but insists there is no evidence of in-the-wild exploitation.

However, because of the severity and risk of exploitation, ConnectWise is urging enterprise admins to install the patches “as emergency changes” within days.

ConnectWise documented the issue in an advisory marked as “critical” because it addresses vulnerabilities “that could allow the ability to execute remote code or directly impact confidential data or critical systems.”

Affected versions include ScreenConnect 23.9.7 and prior versions and the company said it is most relevant on on-prem or self-hosted customers.  

“Partners that are self-hosted or on-premise need to update their servers to version 23.9.8 immediately to apply a patch,” the company said, noting that patched versions of releases 22.4 through 23.9.7 for the critical issue will also be available.

Advertisement. Scroll to continue reading.

The ConnectWise ScreenConnect patches come at a time when the US government is warning about critical risks associated with legitimate remote monitoring and management (RMM) software. 

Enterprise IT service providers use RMM applications to remotely manage client networks and endpoints, but threat actors have been caught abusing these tools to hack into companies to launch ransomware attacks.

In malicious campaigns observed in 2022, threat actors sent phishing emails to deploy legitimate RMM software such as ScreenConnect and AnyDesk on victims’ systems, and abuse these for financial gain.

Security defects in ConnectWise software products have landed the company on the CISA KEV (Known Exploited Vulnerabilities) catalog.

Related: US Issue Guidance on Securing Remote Access Software

Related: Critical ConnectWise Vulnerability in Internet-Exposed Servers

Related: R1Soft Server Backup Manager Bug Exploited to Deploy Backdoor

Related: US Gov Warn of Malicious Use of Remote Management Software

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Cody Barrow has been appointed the new CEO of threat intelligence company EclecticIQ.

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.