CG-2024-00002

Connectwise - ScreenConnect Authentication Bypass

Case: CG-2024-00002-Connectwise-Screenconnect
Case lead: Soufian El Yadmani
Researchers: Chris Heald, Gabriel Tarsia, Michael Rowley, Soufian El Yadmani, Tuhin Mukherjee, Victor Gevers, Brad Lynch.
CVE(s): CVE-2024-1708, CVE-2024-1709
Product: ScreenConnect
Vulnerable Versions: ScreenConnect 23.9.7 and prior
Vendor Statement: https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
Published: 21 Feb 2024 13:00 CET
Last updated: 26 Feb 2024 22:41 CET

Summary

ConnectWise addressed ScreenConnect vulnerabilities enabling unauthorized administrator account creation, with a published exploit of trivial difficulty significantly elevating the risk. This exploit is being used by Ransomware crews. Immediate update to version 23.9.8 is required for self-hosted/on-premise users. Confirmed compromised accounts and associated threat actor IP addresses are shared on the ConnectWise website.

Other Resources

• https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass