ConnectWise ScreenConnect Vulnerability Seeing Exploits: CISA

The vulnerability was rated as critical on ConnectWise’s security bulletin.

player
HkhnnMMbZ
video
6347478500112

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is seeing active exploits related to the ConnectWise ScreenConnect vulnerability that was reported earlier last week.

Vulnerabilities were reported on February 13 through Tampa, Fla.-based ConnectWise’s vulnerabilities disclosure channel via the ConnectWise Trust Center, according to the vendor security bulletin.

MSPs were notified of the vulnerabilities on Monday and given instructions to update on-prem servers immediately. The ConnectWise team said they patched all cloud environments.

[Related: Huntress On ‘Critical’ ConnectWise Vulnerabilities: ‘It Does Have A Certain Firestorm Potential’]

The ConnectWise vulnerability (tracked as CVE-2024-1709) was added to CISA’s Known Exploited Vulnerabilities Catalog Thursday. ConnectWise has rated the vulnerability as critical when it first reported it.

CRN has reached out to ConnectWise for comment.

In a security bulletin updated on Wednesday, ConnectWise said, “Cloud partners are remediated against both vulnerabilities reported on February 19. No further action is required from any cloud partner (“screenconnect.com” cloud and “hostedrmm.com”).”

“ScreenConnect version 23.9.10.8817 was released containing a number of fixes to improve customer experience,” the security update read. “It is always recommended to be on the latest version but 23.9.8 is the minimum version that remediated the reported vulnerabilities. As part of this release, ConnectWise has removed license restrictions, so partners no longer under maintenance can upgrade to the latest version of ScreenConnect.”

The first vulnerability reported by the vendor, CVE-2024-1709, had a scoring of 10, the highest possible severity. The authentication bypass could open the door for the second vulnerability, CVE-2024-1708, according to a blog post by threat researching firm Huntress.

“At the time of the release, the ConnectWise advisory was very sparse on technical details,” the Huntress team stated in a blog post. “There was not much information available as to what these vulnerabilities really consisted of, how they might be taken advantage of or any other threat intelligence or indicators of compromise to hunt for.

“Once we recreated the exploit and attack chain, we came to the same conclusion: there should not be public details about the vulnerability until there had been adequate time for the industry to patch. It would be too dangerous for this information to be readily available to threat actors.

“But with the vendors now publicly sharing the proof-of-concept exploit, the cat is out of the bag. We now feel that sharing our analysis shares no more threat than what is already available. So, we’re ready to spill the beans.”

In a Huntress briefing for the MSP community on the vulnerabilities Thursday, CEO Kyle Hanslovan said he knew ConnectWise CISO Patrick Beggs and his team were helping do incident responses.

“If you are using this, you should start with ConnectWise, they should be considered the experts at this,” Hanslovan said on the briefing. “To be very frank, they should be able to help guide. We are also working on publishing more resources. So I know you're seeing it breaking here first. We're working on getting a lot of the stuff we shared into new updated blogs to help guide this less on the exploitation side. We're not trying to encourage that (but there will be) much more on the forensic side. The reason here was to give you some logs to show you what it looks like.”

A LinkedIn live discussion on the ScreenConnect vulnerabilities will take place at 3 p.m. ET Thursday with Beggs and CompTia chief community officer MJ Shoer.