Two ConnectWise ScreenConnect Critical Remote Code Execution (RCE) Vulnerabilities | PacketWatch Threat Intelligence

ConnectWise recently released a security bulletin disclosing two new vulnerabilities in their ScreenConnect platform.

No CVE ID for ScreenConnect (yet)

While the vulnerabilities have not been assigned a CVE ID, the most severe of the vulnerabilities carries a maximum CVSS score of 10.

This flaw is an authentication bypass bug in the ScreenConnect server that allows for an unauthenticated remote attacker to access confidential data or execute arbitrary code.

According to the advisory, this is a low-complexity attack that requires no user interaction.

The second bug is a path traversal vulnerability that can only exploited by attackers with high privileges.

Updated February 21, 2024: Proof of concept exploit code has now been published by multiple security researchers, and the vulnerabilities are currently under active exploitation. Per the exploitation documentation, any web requests to the ‘SetupWizard.aspx’ path should be considered malicious.

Affected Versions

Both vulnerabilities affect ScreenConnect servers 23.9.7 and prior.

Remediation

Administrators are urged to patch on-premise ScreenConnect servers to version 23.9.8 immediately. Per the ConnectWise security bulletin, ScreenConnect servers hosted on screenconnect[.]com and hostedrmm[.]com have already been patched.

IOCs & Detection Queries

155.133.5.15

155.133.5.14

118.69.65.60

PacketWatch’s Threat Hunter Andy Oesterheld created the following PacketWatch hunt queries to search for signs of exploitation:

http.uri:[YourScrenConnectServer]\/setupwizard.aspx

source.ip:(155.133.5.15 OR 155.133.5.14 OR 118.69.65.60) OR destination.ip:(155.133.5.15 OR 155.133.5.14 OR 118.69.65.60)

What is ConnectWise ScreenConnect?

ConnectWise ScreenConnect, also known as ConnectWise Control, is a remote support, access, and meeting solution available in the cloud or as a self-hosted tool.

ConnectWise CWEs

ConnectWise lists them as:

• CWE-288 Authentication bypass using an alternate path or channel 
• CWE-22 Improper limitation of a pathname to a restricted directory (“path traversal”)
  

The vulnerabilities were reported on February 13th through ConnectWise's vulnerabilities disclosure channel based in Tampa, Florida, via the ConnectWise Trust Center.

Additional Resources

• https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
• https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/ 
• https://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8 

DISCLAIMER

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.