Attackers exploiting ConnectWise ScreenConnect flaws, fixes available for all users (CVE-2024-1709, CVE-2024-1708)
The two ScreenConnect vulnerabilities ConnectWise has recently urged customers to patch have finally been assigned CVE numbers: CVE-2024-1709 for the authentication bypass, CVE-2024-1708 for the path traversal flaw.
ConnectWise has also released a newer version of ScreenConnect (v23.9.10.8817), which contains the fixes for the two flaws and other non-security fixes but – more crucially – customers no longer under maintenance can upgrade to it to protect themselves against exploitation.
Confirmed exploitation, PoC available
ConnectWise shared the existence of the two flaws on Monday (February 19), when it said that they’ve been reported through their vulnerability disclosure channel via the ConnectWise Trust Center, and urged customers that are self-hosted or on-premise to update their servers to version 23.9.8 as soon as possible.
On Tuesday, the company confirmed exploitation attempts from several IP addresses, and Huntress researchers published their technical analysis of both CVE-2024-1709 and CVE-2024-1708 and a demo of their proof-of-concept exploit for CVE-2024-1709.
WatchTowr Labs has published a proof-of-concept exploit for CVE-2024-1709 (to add a new administrative user in ConnectWise ScreenConnect as a first step in a RCE chain).
“The ‘exploit’ is trivial and embarrassingly easy,” Huntress researchers said, and demonstrated how it could lead to remote code execution. They also shared their own indicators of compromise and detection rules for potential malicious activity.
The Shadowserver Foundation says there are around 3800 vulnerable ConnectWise ScreenConnect instances and that they are picking up the initial exploit request in their honeypot sensors. “Check for signs of compromise (new users added) and patch!” they advised.
Update and check for evidence of compromise
As noted before, ALL ConnectWise ScreenConnect customers can now upgrade to a fixed version – v23.9.10.8817 – and should do it immediately.
“We assess with high confidence that this vulnerability will be actively targeted by various types of threat actors, including cybercriminals and nation-state actors, given the severity and scope of the vulnerability and the nature of the impacted product,” Palo Alto Networks’ Unit 42 opined.
ConnectWise has also provided advice for customers who suspect that they have been compromised via CVE-2024-1709: they should upgrade their ScreenConnect installation and, after logging in, they should check for malicious commands/tools or connections by using the Report Manager extension.
UPDATE (February 23, 2024, 02:00 a.m. ET):
Sophos’ X-Ops task force says they’ve been seeing the ScreenConnect vulnerabilities being actively exploited in the wild to deliver the LockBit ransomware (despite the recent law enforcement operation to disrupt the RaaS operator), AsyncRAT, infostealers, and the SimpleHelp Remote Access Client.