Critical ConnectWise RMM Bug Poised for Exploitation Avalanche

Users of the ConnectWise ScreenConnect remote desktop management tool are under active cyberattack, after a proof-of-concept (PoC) exploit surfaced for a max-critical security vulnerability in the platform. The situation has the potential to blow up into a mass compromise event, researchers are warning.

ScreenConnect can be used by tech support and others to authenticate to a machine as though they were the user. As such, it offers a conduit to threat actors looking to infiltrate high-value endpoints and any other areas of corporate networks to which they might have access.

Critical ScreenConnect Authentication Bypass

In an advisory on Monday, ConnectWise disclosed an authentication bypass carrying a score of 10 out of 10 on the CVSS vulnerability severity scale; besides opening the front door to targeted desktops, it allows attackers to reach a second bug, also disclosed Monday, which is a path-traversal issue (CVSS 8.4) that allows unauthorized file access.

"This vulnerability allows an attacker to create their own administrative user on the ScreenConnect server, giving them full control over the server," said James Horseman, Horizon3.ai exploit developer, in a blog today that provides technical details on the auth bypass and indicators of compromise (IoC). "This vulnerability follows a theme of other recent vulnerabilities that allow attackers to reinitialize applications or create initial users after setup."

On Tuesday, ConnectWise updated its advisory to confirm active exploitation of the issues, which don't yet have CVEs: "We received updates of compromised accounts that our incident response team have been able to investigate and confirm." It also added an extensive list of IoCs.

Meanwhile, Piotr Kijewski, CEO at the Shadowserver Foundation, confirmed seeing initial exploitation requests in the nonprofit's honeypot sensors.

"Check for signs of compromise (like new users added) and patch!" he stressed via the Shadowserver mailing list, adding that as of Tuesday, a full 93% of ScreenConnect instances were still vulnerable (about 3,800 installations), most of them located in the US.

The vulnerabilities affect ScreenConnect versions 23.9.7 and earlier, and specifically affect self-hosted or on-premises installations; cloud customers hosting ScreenConnect servers on the "screenconnect.com" or "hostedrmm.com" domains are not affected.

Expect ConnectWise Exploitation to Snowball

While exploitation attempts are low-volume at the moment, Mike Walters, president and co-founder of Action1, said in emailed commentary that businesses should expect "significant security implications" from the ConnectWise bugs.

Walters, who also confirmed in-the-wild exploitation of the vulnerabilities, said to expect, potentially, "thousands of compromised instances." But the issues also have the potential to blow up into a wide-ranging supply chain attack in which assailants infiltrate managed security service providers (MSSPs), then pivot to their business customers.

He explained, "The massive attack exploiting these vulnerabilities may be similar to the Kaseya vulnerability exploitation in 2021, as ScreenConnect is a very popular [remote management and monitoring tool] RMM among MSPs and MSSPs, and could result in comparable damage."

So far, both Huntress researchers and researchers from the Horizon3 attack team have publicly released PoCs for the bugs, and others are sure to follow.

To protect themselves, ConnectWise SmartScreen admins should upgrade to version 23.9.8 immediately to patch their systems, then use the IoCs provided to hunt for signs of exploitation.