ConnectWise warned customers to patch their ScreenConnect servers immediately against a maximum severity flaw that can be used in remote code execution attacks.
This security bug is due to an authentication bypass weakness that attackers can exploit to gain access to confidential data or execute arbitrary code remotely on vulnerable servers in low-complexity attacks that don't require user interaction.
The company also patched a path traversal vulnerability in its remote desktop software, which can only be abused by attackers with high privileges.
ConnectWise has yet to assign CVE IDs to the two security flaws that impact all servers running ScreenConnect 23.9.7 and prior.
While ScreenConnect cloud servers hosted on screenconnect.com cloud or hostedrmm.com are already secured against potential attacks, admins using on-premise software are advised to update their servers to ScreenConnect version 23.9.8 immediately.
Huntress security researchers reported earlier today that they've already created a proof-of-concept exploit that can be used to bypass authentication on unpatched ScreenConnect servers.
Huntress added that a search on the Censys exposure management platform allowed them to find more than 8,800 servers vulnerable to attacks.
Shodan also tracks over 7,600 ScreenConnect servers, with only 160 currently running the patched ScreenConnect 23.9.8 version.
Last month, CISA, the NSA, and MS-ISAC issued a joint advisory warning that attackers increasingly use legitimate remote monitoring and management software such as ConnectWise ScreenConnect for malicious purposes.
By using remote desktop software as an entry point into their targets' networks, threat actors can access their systems as local users without requiring admin permissions or new complete software installations.
This allows them to bypass security controls and gain access to other devices on the network by taking advantage of the compromised user's permissions.
Attackers have been using ScreenConnect for malicious purposes for years, including stealing data and deploying ransomware payloads across victims' breached systems.
More recently, Huntress also spotted threat actors using local ScreenConnect instances for persistent access to hacked networks.
VMware confirms critical vCenter flaw now exploited in attacks.
Hackers exploit critical RCE flaw in Bricks WordPress site builder.
SolarWinds fixes critical RCE bugs in access rights audit solution.
New critical Microsoft Outlook RCE bug is trivial to exploit.
JetBrains warns of new TeamCity auth bypass vulnerability.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 20 Feb 2024 16:50:15 +0000