Malware & Threats

Critical ConnectWise Vulnerability Affects Thousands of Internet-Exposed Servers

IT management software provider ConnectWise on Friday announced updates that patch a critical vulnerability which, according to cybersecurity professionals, exposes thousands of servers to attacks.

Eduard Kovacs

October 31, 2022

The flaw, described as “improper neutralization of special elements in output used by a downstream component”, affects the ConnectWise Recover backup and disaster recovery product (v2.9.7 and earlier), and the R1Soft server backup manager (v6.16.3 and earlier).

The issue is a critical remote code execution vulnerability. The vendor has assigned it a priority rating of 1, which indicates that the vulnerability is either being targeted by hackers or it’s at high risk of being exploited in the wild.

ConnectWise Recover users have been urged to update to version 2.9.9, while R1Soft users should update to version 6.16.4.

The vulnerability was discovered by researchers at MDR company Huntress. Its CEO, Kyle Hanslovan, said Huntress could release details as early as Monday, but noted that ConnectWise’s patch is still being validated.

Hanslovan said Huntress researchers showed how they could push ransomware to nearly 5,000 internet-exposed R1Soft servers, many of which are located in North America and Europe. Hanslovan also confirmed potential supply chain impact considering that many of the affected systems belong to cloud hosting providers and MSPs.

Internet-exposed servers possibly affected by critical ConnectWise vulnerability

Several members of the cybersecurity industry raised concerns about the existence of the vulnerability and the patch being announced on a Friday, which makes it more likely for affected servers to remain unpatched until Monday, leaving them exposed to potential attacks that could start over the weekend.

Advertisement. Scroll to continue reading.

ConnectWise products have been known to be abused in ransomware attacks.

UPDATE: Huntress has published a blog post detailing its findings. The company says it’s not aware of in-the-wild exploitation, but its researchers developed PoC exploits to show how the vulnerability can be leveraged to bypass authentication, gain arbitrary code execution, and push the LockBit ransomware to all downstream endpoints.

Written By Eduard Kovacs

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Latest News

Click to comment

Virtual Event: Threat Detection and Incident Response Summit

Wednesday, May 24, 2023

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Virtual Event: CISO Forum Virtual Summit

June 13-14, 2023

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Security Pros: Before You Do Anything, Understand Your Threat Landscape

Regardless of the use case your security organization is focused on, you’ll likely waste time and resources and make poor decisions if you don’t start with understanding your threat landscape. (Marc Solomon)

Today’s Cyber Defense Challenges: Complexity and a False Sense of Security

Industry standard frameworks and guidelines often lead organizations to believe that deploying more security solutions will result in greater protection against threats. (Torsten George)

Cutting Through the Noise: What is Zero Trust Security?

With proactive steps to move toward Zero Trust, technology leaders can leverage an old, yet new, idea that must become the security norm. (Marie Hattar)

Triple Threat: Insecure Economy, Cybercrime Recruitment and Insider Threats

A wave of layoffs, coupled with increased recruitment efforts by cybercriminals, could create the perfect conditions for insider threats to flourish (Derek Manky)

This New Era of Security Requires Secure Networking, Vendor Consolidation, and Focus on OT

The convergence of networking and security, the consolidation of technology vendors, and a focus on OT security are essential underpinnings of any organization's success. (John Maddison)

Vulnerabilities

Full Disclosure List Gets a Fresh Start – Reborn Under New Operator

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

SecurityWeek NewsMarch 26, 2014

Data Breaches

ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Eduard KovacsMarch 28, 2023

Cybercrime

Cyber Insights 2023 | Ransomware

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Kevin TownsendFebruary 2, 2023

Cybercrime

Comodo Forums Hacked via Recently Disclosed vBulletin Vulnerability

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Eduard KovacsOctober 1, 2019

Risk Management