12:30pm, 21 February 2024
TLP Rating:
Unauthenticated Remote Code Execution in ConnectWise's ScreenConnect
ConnectWise ScreenConnect – software for remote desktop and access – has a critical vulnerability (CVE-2024-1709). This vulnerability could allow an unauthenticated attacker to remotely run arbitrary code without user interaction. This vulnerability is trivial to exploit and ConnectWise has confirmed active exploitation. CERT NZ recommends immediate patching.
Self-hosted and on-premises ScreenConnect servers require patching. ConnectWise has already patched Cloud ScreenConnect servers which are no-longer vulnerable.
What to look for
How to tell if you're at risk
You are vulnerable if you are running ScreenConnect version 23.9.7 or an earlier version.
How to tell if you're affected
Detecting exploitation is difficult and requires configuring windows event logs prior to exploitation. The website Huntress has published detection guidance with more information on how to do this.
ConnectWise has published indicators of compromise in their security bulletin.
See More Information, below, for links to Huntress and the ConnectWise bulletin.
What to do
Prevention
Patch your ScreenConnect to version 23.9.8 or later.
More information
ConnectWise advisory and security bulletins
ConnectWise ScreenConnect 23.9.8 security fix External Link
ConnectWise | Security Bulletins External Link
Huntress.com Detection Guidance for ConnectWise CWE-288
Detection Guidance for ConnectWise CWE-288 (huntress.com) External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
Report an incident for IT specialists | CERT NZ External Link