Enterprise IT software giant ConnectWise has released urgent patches for two critical security defects in its ScreenConnect remote desktop access product, warning there is high risk of in-the-wild exploitation.
The most serious of the two bugs is described as an “authentication bypass using an alternate path or channel” and carries the maximum CVSS severity score of 10/10.
A second bug, documented as an improper limitation of a pathname to a restricted directory (“path traversal”) was also fixed and tagged with a CVSS severity score of 8.4/10.
The company says the vulnerabilities were reported a week ago through its public disclosure channel but insists there is no evidence of in-the-wild exploitation.
However, because of the severity and risk of exploitation, ConnectWise is urging enterprise admins to install the patches “as emergency changes” within days.
ConnectWise documented the issue in an advisory marked as “critical” because it addresses vulnerabilities “that could allow the ability to execute remote code or directly impact confidential data or critical systems.”
Affected versions include ScreenConnect 23.9.7 and prior versions and the company said it is most relevant on on-prem or self-hosted customers.
“Partners that are self-hosted or on-premise need to update their servers to version 23.9.8 immediately to apply a patch,” the company said, noting that patched versions of releases 22.4 through 23.9.7 for the critical issue will also be available.
The ConnectWise ScreenConnect patches come at a time when the US government is warning about critical risks associated with legitimate remote monitoring and management (RMM) software.
Enterprise IT service providers use RMM applications to remotely manage client networks and endpoints, but threat actors have been caught abusing these tools to hack into companies to launch ransomware attacks.
In malicious campaigns observed in 2022, threat actors sent phishing emails to deploy legitimate RMM software such as ScreenConnect and AnyDesk on victims’ systems, and abuse these for financial gain.
Security defects in ConnectWise software products have landed the company on the CISA KEV (Known Exploited Vulnerabilities) catalog.
Related: US Issue Guidance on Securing Remote Access Software
Related: Critical ConnectWise Vulnerability in Internet-Exposed Servers
Related: R1Soft Server Backup Manager Bug Exploited to Deploy Backdoor
Related: US Gov Warn of Malicious Use of Remote Management Software