On February 19, 2024, ConnectWise issued a critical security advisory addressing two vulnerabilities impacting their ScreenConnect remote access software, widely used by the Managed Service Provider (MSP) community. Classified as “Critical” with a severity of “High”, these vulnerabilities pose a significant risk to their broader customer base of MSPs relying on ScreenConnect for remote management.
The disclosed vulnerabilities allow attackers to bypass authentication and gain remote code execution on vulnerable systems. This could grant them access to sensitive data, disrupt critical operations, and potentially compromise the networks of multiple organizations managed by a single MSP. Researchers warn that exploiting these vulnerabilities is relatively simple, and proof-of-concept exploits already exist, highlighting the urgency of immediate action.
While ConnectWise initially stated no evidence existed of these vulnerabilities being actively exploited, they later acknowledged reports of compromised accounts. This emphasizes the possibility that attackers may have already exploited the vulnerability before a patch was available, potentially compromising both MSPs and their customers.
Immediate Action Items
While ConnectWise has automatically patched cloud-based deployments, on-premises users remain at risk and need to urgently upgrade to the latest version. It is recommended to be on the latest version but 23.9.8 is the minimum version that remediates the reported vulnerabilities.
Identifying Critical Vulnerabilities Is Stressful. We’re Here to Help!
We’ve developed a simple PowerShell tool that streamlines identifying servers requiring the recent ConnectWise ScreenConnect patch. This tool can save you valuable time and effort.
I Patched ConnectWise ScreenConnect – Am I Still At Risk?
Patching is the first step to address the vulnerability and the next is to confirm that the vulnerability has been fixed. You can run the tool again to verify that your system is no longer vulnerable.
Now that your ConnectWise ScreenConnect instance is no longer vulnerable, it’s essential to acknowledge that your system might have been compromised during the vulnerable period.
- Review the list of users created to identify any newly created users that you don’t recognize.
- Ensure all security solutions are fully deployed and up-to-date across your entire organization and your customers’ networks.
- Proactively hunt for indicators of compromise (IOCs) that attackers might have left behind during the vulnerability window.
- Continuously monitor your network for suspicious activity that might indicate an adversary’s presence within your network or your customers’ networks.
Lumu identifies threats in your clients’ networks and helps MSPs automate responses using their existing cybersecurity tools. Request access today.