Skip to main content
close search
site logo
Dive Brief

ConnectWise ScreenConnect under active exploitation due to critical flaws

Security researchers are urging users to immediately patch their systems after the company warned of an authentication bypass vulnerability that is considered trivial to exploit.

Published Feb. 22, 2024
David Jones's headshot
Reporter
An image of a digital lock is shown
Just_Super via Getty Images

Dive Brief:

  • Critical vulnerabilities in ConnectWise ScreenConnect are under active exploitation by threat actors, and there is an urgent need for users to patch their systems, according to security researchers.
  • ConnectWise ScreenConnect is a remote desktop application widely used by help desks and remote workers. A critical authentication bypass vulnerability, with a CVSS score of 10, could allow an attacker access to critical systems or confidential information. A path transversal vulnerability, with a score of 8.4, could allow an attacker to execute remote code.
  •  ConnectWise on Wednesday urged on-premises partners to immediately upgrade to the latest version of ScreenConnect, after its incident response team began to investigate reports of suspicious activity. The vulnerability applies to on-premises users.

Dive Insight:

ConnectWise was originally notified of the vulnerabilities on Feb. 13 through its disclosure channels.

Following the company’s initial disclosure, Huntress researchers were able to recreate the exploit and attack chain, however delayed releasing information to allow time to patch. Other researchers, however, publicly released the proof of concept. 

John Hammond, principal security researcher at Huntress, said threat actors are now casting as wide a net as possible for future attacks. 

“They want to collect as [many] implants and access and footholds as they can,” Hammond said. “And then later have that saved and ready for them to do their own campaign and wreak havoc.”

After a few days of delay, the vulnerabilities were assigned CVE-2024-1709 and CVE-2024-17008

Researchers at Palo Alto Networks have observed more than 18,000 unique IP addresses hosting ScreenConnect globally. 

Federal officials are working with the company to gain a better understanding of the current threat activity.

“CISA is aware of a reported vulnerability impacting ConnectWise ScreenConnect and we are working to understand potential exploitation in order to provide necessary guidance and assistance,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said via email.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell