Pierluigi Paganini February 20, 2024

ConnectWise addressed two critical vulnerabilities in its ScreenConnect remote desktop access product and urges customers to install the patches asap.

ConnectWise warns of the following two critical vulnerabilities in its ScreenConnect remote desktop access product:

• CWE-288 Authentication bypass using an alternate path or channel (CVSS score 10)
• CWE-22 Improper limitation of a pathname to a restricted directory (“path traversal”)  (CVSS score 8.4)

Both vulnerabilities were reported on February 13, 2024, through the company vulnerability disclosure channel via the ConnectWise Trust Center. The company is not aware of attacks in the wild exploiting these vulnerabilities, however, due to the higher risk of being targeted by exploits, ConnectWise recommends installing updates as emergency changes within days.  

The issues impact ScreenConnect 23.9.7 and prior, below is the remediation provided in the advisory:

Cloud 

There are no actions needed by the partner, ScreenConnect servers hosted in “screenconnect.com” cloud or “hostedrmm.com” have been updated to remediate the issue.  

On-premise 

Partners that are self-hosted or on-premise need to update their servers to version 23.9.8 immediately to apply a patch. 

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ConnectWise ScreenConnect remote desktop access product)