ScreenConnect Under Attack Following Disclosure of Critical Bugs

February 21, 2024

Technical details and proof-of-concept exploits for two vulnerabilities in ScreenConnect, a remote desktop and access software by ConnectWise, have been made public. The vulnerabilities, identified as CVE-2024-1708 and CVE-2024-1709, are an authentication bypass and a path traversal flaw respectively. These flaws impact ScreenConnect servers 23.9.7 and earlier. ConnectWise has urged administrators to update their on-premise servers to version 23.9.8 to mitigate the risk, and has assured that instances on screenconnect.com cloud or hostedrmm.com are secure. Multiple ScreenConnect accounts have been compromised in attacks exploiting these vulnerabilities.

Cybersecurity firm Huntress has analyzed the vulnerabilities and warned that creating an exploit is relatively easy. As of Monday, more than 8,800 vulnerable ScreenConnect servers were exposed, according to the Censys platform. This number had dropped to around 3,800 by the next day, according to The ShadowServer Foundation. The first working exploits appeared shortly after ConnectWise announced the vulnerabilities, and more continue to be published.

Huntress discovered the two flaws by examining the code changes introduced with the patch by ConnectWise. The first flaw, an authentication bypass, was found due to a new check in a text file indicating that the authentication process was not secured against all access paths. This allowed a user to use the setup wizard even when ScreenConnect had already been set up, and create a new administrator account to take control of the ScreenConnect instance.

The second flaw, a path traversal bug, allows access or modification of files outside the intended restricted directory. This flaw was identified by noticing code changes on the 'ScreenConnect.Core.dll' file, which pointed to ZipSlip, a vulnerability that occurs when applications do not properly sanitize the file extraction path, leading to potential overwriting of sensitive files. The updates from ConnectWise introduce stricter path validation when extracting ZIP file contents to prevent file writing outside designated subdirectories within ScreenConnect's folder.

With administrative access gained from the previous exploit, it is possible to access or manipulate the User.xml file and other sensitive files by crafting requests that include directory traversal sequences. The attacker can upload a payload, such as a malicious script or executable, outside the ScreenConnect subdirectory.

Huntress has shared indicators of compromise and analytical detection guidance based on the artifacts created when the above flaws are exploited. Administrators who have not applied the security updates are strongly recommended to use these detections to check for unauthorized access.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.