ConnectWise Exploit Could Spur Ransomware Free-For-All

A critical ConnectWise ScreenConnect vulnerability that puts thousands of servers at risk of takeover is actively being exploited in the wild, ConnectWise said Tuesday.

ConnectWise released a security fix for ScreenConnect 23.9.7 on Monday, disclosing two vulnerabilities, including a critical bug with a maximum CVSS score of 10. The security bulletin was later updated with three IP addresses known to be targeting the flaw.  

This critical flaw, tracked as CVE-2024-1709, makes it “trivial and embarrassingly easy” to achieve authentication bypass and gain administrative access to a ScreenConnect instance, according to researchers at Huntress.  

The second bug, tracked as CVE-2024-1708, is a path traversal vulnerability that could allow a malicious ScreenConnect extension to achieve remote code execution (RCE) outside of its intended subdirectory.

However, the Huntress researchers noted that exploitation of CVE-2024-1709 alone is sufficient to enable RCE.

Managers of on-premises ConnectWise ScreenConnect instances should immediately upgrade to version 23.9.8 to prevent server compromise. Cloud instances have already been patched, according to ConnectWise.

ScreenConnect exploit threatens breach of countless downstream endpoints

ConnectWise ScreenConnect is commonly used by managed service providers (MSPs) to gain remote access to customer endpoints for services such as IT support.

About 3,800 ScreenConnect instances vulnerable to the latest bugs were detected by Shadowserver as of Wednesday morning – an estimated 93% of all detected instances. Shadowserver also began seeing exploit requests to its honeypot on Wednesday, the organization posted on X.

With each ScreenConnect instance serving potentially hundreds or thousands of endpoints, CVE-2024-1709 could set the stage for a major supply chain attack, not unlike the MOVEit hack by the Cl0p ransomware group that has affected more than 2,500 organizations since May 2023.  

“I can’t sugarcoat it – this s— is bad,” Huntress CEO Kyle Hanslovan told SC Media in a statement. “The sheer prevalence of this software and the access afforded by this vulnerability signals we are on the cusp of a ransomware free-for-all.”

Huntress, which was also involved in incident response after the MOVEit hack, noted in its the increased danger due to proof-of-concept (POC) exploits being available, only deciding to release its own POC after other vendors had done so.

A Huntress spokesperson said the company worked closely with ConnectWise while studying the exploit and its potential impacts.

“There’s a reckoning coming with dual-purpose software; like Huntress uncovered with MOVEit over the summer, the same seamless functionality it gives to IT teams, it also gives to hackers,” said Hanslovan. “With remote access software, the bad guys can push ransomware as easily as the good guys can push a patch. And once they start pushing their data encryptors, I’d be willing to bet 90% of preventative software won’t catch it because it’s coming from a trusted source.”