ConnectWise patches two vulnerabilities in ScreenConnect

Update February 21: A blog post is now available with more information on these vulnerabilities

On February 19, ConnectWise released a security bulletin for two vulnerabilities affecting its Remote Monitoring and Management (RMM) solution, ScreenConnect. At the time the security advisory was published, no CVE identifiers had been released for the two vulnerabilities. The two issues are:

• A critical severity authentication bypass vulnerability with the highest possible CVSS score of 10
• A high severity path traversal vulnerability with a CVSS score of 8.4

At the time the advisory was released, no known exploitation of these vulnerabilities has been observed and the issues were responsibly disclosed to ConnectWise. The advisory notes that only on-premise or self-hosted servers are impacted and should apply the update as soon as possible.

On February 20, researchers at Huntress released a blog post acknowledging that they have reproduced these vulnerabilities and developed a proof-of-concept. They had chosen to not release the exploit code at this time and noted that “As of 07:00 AM EST, over 8,800 servers are shown as running a vulnerable version on the Censys.io platform.”

At this time, Tenable Research is carefully watching for the latest information on these vulnerabilities and our teams will be releasing plugin coverage soon. We strongly recommend that you review the security advisory and upgrade to version 23.9.8 or later as soon as possible to address these vulnerabilities. For more information, please refer to our blog.