Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

ScreenConnect Servers at High Risk as POC Becomes Public

More Than 8,000 ScreenConnect Servers Were Exposed to the Internet
ScreenConnect Servers at High Risk as POC Becomes Public
Image: Shutterstock

Software giant ConnectWise urged customers to promptly update critical vulnerabilities that could allow execution of remote code or directly affect confidential data or critical systems.

See Also: Gartner Guide for Digital Forensics and Incident Response

The two vulnerabilities affect the ScreenConnect remote desktop access product. The more serious flaw, CVE-2024-1709, is rated a peak CVSS security score of 10 and stems from an authentication bypass weakness.

The second flaw, CVE-2024-1708, is a high-severity path traversal vulnerability that's susceptible only to attackers with high privileges.

ConnectWise reported the vulnerabilities on Feb. 13 and although there was no evidence at the time of exploitation in the wild, the company in a Tuesday update said its incident response team had investigated and confirmed the compromised accounts. The company did not reveal how many accounts were breached but disclosed a list of three IP addresses recently used by threat actors to breach ScreenConnect servers: 155.133.5.15, 155.133.5.14 and 118.69.65.60.

Internet of things search engine Shodan indicated more than 8,000 ScreenConnect servers are exposed to the internet, and only 5% of them - approximately 430 servers - are currently running the patched version 23.9.8. Palo Alto Networks' Unit42 said it had observed more than 16,000 distinct IPs that are likely vulnerable. "Patch now! …this vuln is expected to be extremely easy to reverse/exploit," Unit42 tweeted.

ScreenConnect cloud servers on screenconnect.com cloud or hostedrmm.com are already secure, but administrators using on-premises software are advised to promptly update their servers to ScreenConnect version 23.9.8.

The announcement of the latest vulnerability comes after the U.S. Cybersecurity and Infrastructure Security Agency - in a joint advisory last month with the National Security Agency and MS-ISAC - warned of attackers increasingly exploiting legitimate remote monitoring and management software, such as ConnectWise ScreenConnect. Using these software products as an entry point, threat actors can access systems as local users without the need for admin permissions or new software installations, bypass security controls and gain access to other devices on the network.

Remote desktop application provider AnyDesk confirmed this month that hackers recently had gained unauthorized access to the company's production systems. As a precaution, AnyDesk revoked all passwords to its web portal and advised users to change their password anywhere else they may have reused it.

Proof of Concept Goes Public

Huntress Labs security researchers disclosed a proof-of-concept exploit to bypass authentication on unpatched ScreenConnect servers. Huntress CEO Kyle Hanslovan initially said the company had purposely been "tight-lipped" and that he "100%" agreed with ConnectWise's CVSS score of 10, but the company later released a full technical analysis of the exploit, which it described as "trivial and embarrassingly easy."

Attack surface management firm WatchTowr developed another proof of concept to exploit the authentication bypass flaw and add a new administrative user in ConnectWise ScreenConnect. "This is the first step in a trivial remote command execution chain," WatchTowr said.

Attackers have misused ScreenConnect for malicious purposes for years, stealing data and deploying ransomware payloads across breached systems. Recently, federal authorities warned of attacks on healthcare sector firms that use ConnectWise's remote access tool ScreenConnect. Hackers in 2023 compromised a locally hosted version of the tool used by a large national pharmacy supply chain and managed services provider (see: Feds Warn Healthcare Sector of ScreenConnect Threats).


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.