ConnectWise urges organizations using an on-premises installation of the ScreenConnect remote monitoring and management software (formerly known as ConnectWise Control) to update servers to version 23.9.8 immediately due to a critical remote code execution vulnerability. The ScreenConnect remote desktop product is at risk due to a pair of vulnerabilities: CVE-2024-1709 and CVE-2024-1708.
ScreenConnect vulnerabilities under active exploitation
Cybercriminals can chain the two vulnerabilities, leveraging the authentication bypass CVE-2024-1709 first and then moving through the system with the path traversal CVE-2024-1708. These vulnerabilities affect ScreenConnect 23.9.7 and all prior ScreenConnect versions. Because ScreenConnect provides remote access functionality, attackers targeting ConnectWise ScreenConnect may seek to compromise critical systems for organizations with on-premises or self-hosted deployments.
These vulnerabilities follow a Cybersecurity and Infrastructure Security Agency (CISA) January advisory that warns about a widespread campaign compromising remote monitoring and management software, including ScreenConnect, to gain persistence and control of the target network. While the previous campaign used phishing attacks to compromise legitimate RMM software, the current vulnerabilities leading to remote code execution are of additional concern as this software has previously been targeted by malicious cybercriminals and advanced persistent threats (APTs).
CVE-2024-1709 is a critical vulnerability with a Common Vulnerability Scoring System (CVSS) score of 10.0, which is the highest score and indicates a complete breakdown of security measures that can be immediately exploited. The path traversal vulnerability has a CVSS score of 8.4, which indicates a high severity risk. CVE-2024-1709 is part of the CISA Known Exploited Vulnerabilities (KEV) catalog.
ConnectWise announced the new vulnerabilities alongside a fix in their February 2024 security bulletin, stating the following:
"Vulnerabilities were reported February 13, 2024, through our vulnerability disclosure channel via the ConnectWise Trust Center. There is no evidence that these vulnerabilities have been exploited in the wild, but immediate action must be taken by on-premise partners to address these identified security risks." (ConnectWise)
Despite this assurance that ScreenConnect servers were not compromised, ConnectWise has received reports of suspicious activity and provided IP addresses used by threat actors as known indicators of compromise (IoCs). ConnectWise shared that the cloud-based offerings, [.rt-script]screenconnect.com[.rt-script] or [.rt-script]hostedrmm.com[.rt-script], have already been secured against these vulnerabilities.
Multiple threat intelligence groups have released working proof-of-concept exploits (PoCs) that illustrate how hackers can exploit this set of vulnerabilities. The Huntress PoC demonstrates the ease with which an attacker can compromise the ScreenConnect setup wizard and bypass authentication requirements on an existing ScreenConnect server, overwriting the user database with a new administrative user. Appending a forward slash [.rt-script]/[.rt-script] to the [.rt-script]SetupWizard.aspx[.rt-script] request URL bypasses the HTTP request filter that should deny new setups on existing ScreenConnect servers.
"Once you have administrative access to a compromised instance, it is trivial to create and upload a malicious ScreenConnect extension to gain Remote Code Execution (RCE)." (Huntress)
If an attacker gains access to your system, they can exploit CVE-2024-1708 to run arbitrary code and modify existing files on the server. Malicious actors may install malware or ransomware, or they may gain access to customer endpoints available in the provider's ScreenConnect server.
How to respond to the ScreenConnect vulnerabilities
If you use ScreenConnect, you should immediately apply the security update from ConnectWise. Because these two vulnerabilities can be combined by threat actors to gain access and lateral movement within your system, it is critical to protect against the vulnerability before an attacker exploits it on your system.
Run the ScreenConnect update for on-premises servers
The ConnectWise security bulletin instructs organizations to upgrade to the latest version of ScreenConnect (23.9.10.8817 at the time of publication). If you are using version 23.9.8, then your server should be protected against the reported vulnerabilities.
Investigate indicators of compromise
Both ConnectWise and threat intelligence researchers have released potential indicators of compromise identified during investigation into these vulnerabilities. You should evaluate your server to assess whether it has been compromised, following your organization's incident response plan for quarantine and recovery if the vulnerabilities on your server were exploited.
ConnectWise reported that the following IP addresses were used by threat actors:
[.rt-script]155.133.5.15[.rt-script][.rt-script]155.133.5.14[.rt-script][.rt-script]118.69.65.60[.rt-script]
You can additionally use the ScreenConnect audit page to review login attempts for unauthorized users or IP addresses. Horizon3 and GreyNoise have also partnered on a malicious activity tag to monitor additional IP addresses that attempt the bypass exploitation.
The Huntress intelligence team has provided detection guidance that uses the Advanced Auditing policy to log file changes indicative of an attacker's presence on the server. Their recommendation uses the Windows Event 4663 to log when the [.rt-script]User.xml[.rt-script] file is modified, such as when the setup wizard creates new users. Huntress also identified a malicious [.rt-script]SetUpWizard.aspx[.rt-script] URL path in the Microsoft Internet Information Services (IIS) audit log.
You can use this information as a starting point for your investigation though you may need to conduct additional forensic analysis to determine whether your server has been compromised due to these vulnerabilities.
Automate continuous monitoring across your public attack surface
Continuous monitoring of your external attack surface can help you take proactive measures against any potential known and unknown vulnerabilities. UpGuard maintains a vulnerability library for customers using BreachSight and Vendor Risk to help organizations identify issues that need mitigation. If you or a vendor use ScreenConnect, you should determine whether it has been updated to a secure version.
UpGuard users can search for CVE-2024-1709 in the Vulnerabilities module to identify whether ScreenConnect poses a risk, or you can search for ScreenConnect by name in the Portfolio Risk Profile.
