Critical ConnectWise RMM Bug Poised for Exploitation Avalanche

Two days after disclosure, most instances of the remote desktop tool remain unpatched, while cyberattackers have started in-the-wild exploitation — and researchers warn it could get ugly, fast.

Massive Avalanche Roars Off the Slopes of Canada's King Peak
Source: RGB Ventures/SuperStock via Alamy Stock Photo

Users of the ConnectWise ScreenConnect remote desktop management tool are under active cyberattack, after a proof-of-concept (PoC) exploit surfaced for a max-critical security vulnerability in the platform. The situation has the potential to blow up into a mass compromise event, researchers are warning.

ScreenConnect can be used by tech support and others to authenticate to a machine as though they were the user. As such, it offers a conduit to threat actors looking to infiltrate high-value endpoints and any other areas of corporate networks to which they might have access.

Critical ScreenConnect Authentication Bypass

In an advisory on Monday, ConnectWise disclosed an authentication bypass carrying a score of 10 out of 10 on the CVSS vulnerability severity scale; besides opening the front door to targeted desktops, it allows attackers to reach a second bug, also disclosed Monday, which is a path-traversal issue (CVSS 8.4) that allows unauthorized file access.

"This vulnerability allows an attacker to create their own administrative user on the ScreenConnect server, giving them full control over the server," said James Horseman, Horizon3.ai exploit developer, in a blog today that provides technical details on the auth bypass and indicators of compromise (IoC). "This vulnerability follows a theme of other recent vulnerabilities that allow attackers to reinitialize applications or create initial users after setup."

On Tuesday, ConnectWise updated its advisory to confirm active exploitation of the issues, which don't yet have CVEs: "We received updates of compromised accounts that our incident response team have been able to investigate and confirm." It also added an extensive list of IoCs.

Meanwhile, Piotr Kijewski, CEO at the Shadowserver Foundation, confirmed seeing initial exploitation requests in the nonprofit's honeypot sensors.

"Check for signs of compromise (like new users added) and patch!" he stressed via the Shadowserver mailing list, adding that as of Tuesday, a full 93% of ScreenConnect instances were still vulnerable (about 3,800 installations), most of them located in the US.

The vulnerabilities affect ScreenConnect versions 23.9.7 and earlier, and specifically affect self-hosted or on-premises installations; cloud customers hosting ScreenConnect servers on the "screenconnect.com" or "hostedrmm.com" domains are not affected.

Expect ConnectWise Exploitation to Snowball

While exploitation attempts are low-volume at the moment, Mike Walters, president and co-founder of Action1, said in emailed commentary that businesses should expect "significant security implications" from the ConnectWise bugs.

Walters, who also confirmed in-the-wild exploitation of the vulnerabilities, said to expect, potentially, "thousands of compromised instances." But the issues also have the potential to blow up into a wide-ranging supply chain attack in which assailants infiltrate managed security service providers (MSSPs), then pivot to their business customers.

He explained, "The massive attack exploiting these vulnerabilities may be similar to the Kaseya vulnerability exploitation in 2021, as ScreenConnect is a very popular [remote management and monitoring tool] RMM among MSPs and MSSPs, and could result in comparable damage."

So far, both Huntress researchers and researchers from the Horizon3 attack team have publicly released PoCs for the bugs, and others are sure to follow.

To protect themselves, ConnectWise SmartScreen admins should upgrade to version 23.9.8 immediately to patch their systems, then use the IoCs provided to hunt for signs of exploitation.

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights