ConnectWise's ScreenConnect, a popular remote monitoring and management (RMM) software, has recently been targeted by cybercriminals exploiting a critical vulnerability. The flaw, tracked as CVE-2024-1709, allows an authentication bypass, while another related issue, CVE-2024-1708, involves an improper limitation of a pathname to a restricted directory (also known as "path traversal"). These vulnerabilities impact older versions of ScreenConnect and have been mitigated in version 23.9.8 and later.

The Vulnerabilities

 1. CVE-2024-1709 (Authentication Bypass Using Alternate Path or Channel):

•  This vulnerability allows attackers to bypass authentication within the server software itself, not the client software installed on end-user devices.

• Attackers have found that they can deploy malware to servers or workstations with the client software installed.

• Sophos has evidence that attacks against both servers and client machines are currently underway.

2. CVE-2024-1708 (Improper Limitation of a Pathname to a Restricted Directory):

• This vulnerability also affects the server software.

• It enables attackers to execute arbitrary code by manipulating path traversal issues.

Exploitation and Impact

Dubbed SlashAndGrab by cybersecurity researchers, these flaws enable attackers to create administrator accounts and execute arbitrary code. The impact is significant, as it allows malicious actors to gain unauthorized access, compromise systems, and deliver various payloads into business environments.

Mitigation Steps

ConnectWise promptly released patches for these vulnerabilities after being notified of in-the-wild exploitation attempts. Cloud-hosted implementations of ScreenConnect received mitigations within hours of validation, but self-hosted (on-premise) instances remain at risk until manually upgraded. Organizations are strongly advised to patch to ScreenConnect version 23.9.8 immediately.

Additionally, if you are no longer under maintenance, ConnectWise allows you to install version 22.4 at no additional cost, which fixes the critical vulnerability (CVE-2024-1709).

Conclusion

 As these types of vulnerabilities pose significant risks to organizations, timely remediation is crucial. Whether you're part of the federal enterprise or any other organization, prioritizing vulnerability management practices can help reduce exposure to cyberattacks.

Stay vigilant, keep your software up-to-date, and protect your systems from exploitation! Contact Webcheck Security today to discuss your organization’s cyber security program gaps and plan for us to perform your next penetration tests.