CISA Mandates Immediate Fix for ConnectWise ScreenConnect Vulnerability

February 23, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability in ConnectWise ScreenConnect, identified as CVE-2024-1709, to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability is an authentication bypass issue that can be exploited by an attacker with network access to the management interface, enabling them to create a new, administrator-level account on affected devices. This issue affects ScreenConnect 23.9.7 and prior versions.

No action is required from partners, as ScreenConnect servers hosted in the “screenconnect.com” cloud or “hostedrmm.com” have been updated to address the issue. However, partners that are self-hosted or on-premise need to update their servers to version 23.9.8 immediately to apply the patch.

The vulnerability has been analyzed by cybersecurity researchers at Huntress. The firm confirmed that the issue is actively being exploited in attacks and also recreated the exploit and attack chain. The researchers concluded that the exploit is trivial and extremely easy, hence they recommended not to disclose public details about the vulnerability until there has been sufficient time for the industry to patch.

A proof-of-concept (PoC) video of the exploit was created by Huntress researchers, demonstrating the simple authentication bypass and how to achieve remote code execution. CISA has confirmed that this vulnerability is being exploited in ransomware attacks, a fact also corroborated by researchers at Sophos.

In their statement, Sophos said, “In the last 24 hours, we’ve observed several LockBit attacks, apparently after exploitation of the recent ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 / CVE-2024-1709). Two things of interest here: first, as noted by others, the ScreenConnect vulnerabilities are being actively exploited in the wild. Second, despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running.”

As per the Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies are required to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting these flaws. Private organizations are also advised to review the Catalog and address the vulnerabilities in their infrastructure. CISA has ordered federal agencies to fix these vulnerabilities by February 29, 2024.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.