top of page

ConnectWise Discloses Severe ScreenConnect Vulns Under Active Exploitation




The Download

If you are running an on-prem version of ConnectWise ScreenConnect that has not been patched this week, you need to patch now. The severe vulnerabilities (max CVSS 10), assigned CVE-2024-1708 and CVE-2024-1709 by CISA, affect all versions of ScreenConnect v23.9.7 and earlier, and are now under active exploitation following the release of POC exploit code.


What makes this particularly dangerous is ScreenConnect is used by managed service providers (MSPs) and Security Operations Centers (SOCs) for remote administration of client machines. If compromised, the adversary can obtain administrator credentials and leverage the software to remotely connect to client machines, install malware, backdoors and ransomware.


What To Do

If you are running ScreenConnect on-prem, you need to immediately patch or take the system offline. If you are managed by a managed service provider (MSP), you should find out if they are using ConnectWise ScreenConnect to manage your machines remotely, and if so, if they patched. If you are running ScreenConnect in the cloud, all cloud-hosted servers are already patched and you are not at risk. This is another argument for migrating to cloud managed services, rather than on-prem hosting.


If you have been running a vulnerable version of ScreenConnect (v23.9.7 or earlier), after patching, you should check for signs of system compromise. ConnectWise released these Indicators of Compromise (IOCs) for outbound adersary command and control :


  • 155.133.5.15

  • 155.133.5.14

  • 118.69.65.60


If you are running Threatmate agents or other security solution that monitors outbound connections, you can search for any outbound connections to these IPs. If you have a hit, then those machines are likely compromised and you must begin incident response.


For more information:






Comments


bottom of page