Customers were forewarned by ConnectWise to immediately patch their ScreenConnect servers to prevent attacks using remote code execution (RCE ) flaws.
An authentication bypass  vulnerability that attackers can use to remotely execute arbitrary code on vulnerable servers in low-complexity attacks that do n’t require user interaction is the root of this securitybug.
Additionally, the business fixed a remote desktop software path traversal vulnerability that can only be exploited by attackers with high privileges.
Through the ConnectWise Trust Center’s vulnerability disclosure channel, vulnerabilities were reported on February 13, 2024, the company issued a warning.
” On-premise partners must take immediate action to address these identified security risks even though there is no evidence that these vulnerabilities have been exploited in the wild.”
The two security flaws that affect all servers running ScreenConnect 23.7 and earlier have not yet been given CVE IDs by ConnectWise.
Administrators using on-premise software are advised to update their servers to ScreenConnect version 23.9.8 right away, even though screenConnect cloud servers hosted on screenconnect.com cloud or hostedrmm…com are already protected against potential attacks.
Researchers from Huntress Security announced earlier today that they had already developed a proof-of-concept ( PoC ) exploit that can get around ScreenConnect servers ‘ authentication requirements.
More than 8,800 servers were found to be attack-vulnerable thanks to a search on the Censys exposure management platform, according to Huntress.
Over 7,600 ScreenConnect servers are also tracked by Shodan, but only 160 of them are currently using the patched Version23.98.8.
Attackers are increasingly using legitimate remote monitoring and management ( RMM) software like ConnectWise ScreenConnect for malicious purposes, according to a joint advisory warning from CISA, the NSA, and MS-ISAC.
Threat actors can access their targets ‘ networks as local users without needing admin permissions or new complete software installations by using remote desktop software as a point of entry.
By using the compromised user’s permissions, they are able to get around security restrictions and access other network devices.
For years, attackers have been using ScreenConnect for malicious purposes, including data theft and the distribution of ransomware payloads across compromised systems of victims.
Huntress recently observed threat actors persistently accessing compromised networks using local ScreenConnect instances.