A critical vulnerability patched this week in the ConnectWise ScreenConnect remote desktop software is already being exploited in the wild. Researchers warn that it’s trivial to exploit the flaw, which allows attackers to bypass authentication and gain remote code execution on systems, and proof-of-concept exploits already exist.
ScreenConnect is a popular remote support tool with both on-premises and in-cloud deployments. According to ConnectWise’s advisory released Monday, the cloud deployments hosted at screenconnect.com or hostedrmm.com have automatically been patched, but customers need to urgently upgrade their on-premises deployments to version 23.9.8.
Data from internet scanning service Censys showed over 8,000 vulnerable ScreenConnect servers when the vulnerability was disclosed. However, the impact of a successful exploit could extend past the server itself since a single ScreenConnect server could provide attackers with access to hundreds or thousands of endpoints — even across multiple organizations if the server is run by a managed service provider (MSP).
Attackers have exploited vulnerabilities in remote monitoring and management (RMM) tools used by MSPs in the past to gain access to their customers’ networks, and they also abused such tools for command-and-control in other attacks. Last month, the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory about a malicious campaign that involved phishing emails that led to the download of legitimate RMM software, such as ScreenConnect and AnyDesk, that attackers then used to steal money from victims’ bank accounts in a refund scam.
In its original advisory, ConnectWise said there was no evidence of the two vulnerabilities it disclosed being exploited in the wild, but one day later it updated its advisory to warn customers that: “We received updates of compromised accounts that our incident response team have been able to investigate and confirm.”
Authentication bypass in the ScreenConnect setup wizard
The ScreenConnect patch addresses two vulnerabilities that don’t yet have CVE identifiers: An authentication bypass that’s rated with the maximum score of 10 (Critical) on the CVSS severity scale and an improper limitation of a pathname to a restricted directory, also known as a path traversal flaw, that’s rated 8.4 (High).
Researchers from security firms Horizon3.ai and Huntress independently analyzed the patches and determined that the authentication bypass flaw is caused by attackers being able to access and run the initial setup wizard again on an existing deployment. One critical part of this setup wizard, which should only be run once when the software is deployed, is that it allows the customer to set the admin username and password. Therefore, by running it again, an attacker is able to reset the application’s user database and create a new administrative account with credentials they control.
The application already had code that was meant to block requests trying to access the SetupWizard.aspx page after the initial setup was complete, but the check was not strong enough and did not block all variants of the URL. “The use of string.Equals checks for exact equality, so a URL like <app_url>/SetupWizard.aspx will match,” researchers from Horizon3.ai said. “However, there are other URLs that resolve to SetupWizard.aspx that donât match. If we simply add a forward slash to the end of the URL (<app_url>/SetupWizard.aspx/) we get access to the setup wizard, even after the application is already setup.”
This vulnerability is similar to one patched in January in Fortra GoAnywhere MFT, CVE-2024-0204, where attackers could similarly use a specially crafted request to reinitialize the original setup wizard and create their own administrative account. “The applicationâs Admin -> Audit page displays a list of recent login attempts along with the IP address,” the Horizon3.ai researchers said. “You can check this page for any unrecognized users or IP addresses.”
The Huntress team also released detection guidance and the ConnectWise advisory lists several IP addresses used by attackers so far as indicators of compromise.