ConnectWise Vulnerability: Authentication Bypass in ScreenConnect

UPDATE: February 23rd, 2024 The following CVEs have been assigned to the ConnectWise Vulnerability: 

• CVE-2024-1709 (CVSS: 10): Authentication Bypass
  • POC by Horizion3ai on GitHub 
• CVE-2024-1708 (CVSS: 8.4): Path Traversal 

Widespread exploitation of these vulnerabilities in the wild has been confirmed including comprise of UnitedHealth's Change Healthcare on February 22nd, by Lockbit. Sophos has confirmed various strains of malware using these vulnerabilities as part of delivery including LockBit ransomware, AsyncRAT, infostealers, etc.  It is Centripetal’s assessment that threat actors currently are actively targeting these vulnerabilities due to the ability to directly achieve Remote Code Execution and organizations should patch any exposed instances of ConnectWise as soon as possible. February 20th, 2024 On February 19th, ConnectWise disclosed a vulnerability in their ScreenConnect software versions 23.9.7 and earlier.  This particular critical severity vulnerability, results in the reading of sensitive configuration files, access to and modification of application source code, and Remote Code Execution capabilities by an attacker.  Additional path traversal risks exist. There is no indication of current exploitation in the wild.  If you are a current ConnectWise ScreenConnect customer utilizing the cloud solution, the software has already been upgraded and no action is required. For users who are using an on-premises solution, ConnectWise has issued a patch as well as a full upgrade document which can be found here. While no known threat actors are known to be actively exploiting this vulnerability in the wild or that a proof-of-concept exists, the CleanINTERNET® solution continues to utilize threat intelligence to protect against reconnaissance which would allow an attacker to rapidly index and launch attacks on known vulnerable targets. At the time of this writing, no CVE has been assigned to the vulnerability. If you are a current client of ConnectWise please contact support@centripetal.ai. Centripetal is pleased to offer penetration testing and vulnerability assessment services to help organizations identify vulnerabilities and reduce risk. If interested, please contact our Professional Services team at profservs@centripetal.ai or reach out to your Centripetal Account Representative.