A critical bug that could allow remote code execution on affected systems has been fixed in ConnectWise’s ScreenConnect remote desktop and access software.
Below is a list of the vulnerabilities that do not currently have CVE identifiers.
- CVSS score: 10.0 for authentication bypass using a different route or channel.
- improper pathname restriction to a restricted directory, also known as “path traversal” ( CVSS score: 8.4)
According to the company, the seriousness of the problems” could allow the ability to execute remote code or directly impact confidential data or critical systems.”
ScreenConnect versions 23.9.7 and earlier are both affected by the vulnerabilities, and version23.9.8 has fixes. On February 13, 2024, the company received a report of the flaws.
Users running self-hosted or on-premise versions are advised to update to the most recent version as soon as possible, even though there is no proof that the flaws have been exploited in the wild.
For the crucial issue, ConnectWise will also offer updated versions of releases 22.4 through 23.9.7, but it strongly advises partners to upgrade to ScreenConnect version23.8.