Top remote access platform ConnectWise has confirmed that it has found and patched two critical security vulnerabilities in its ScreenConnect product.
“Vulnerabilities were reported on February 13, 2024 through our vulnerability disclosure channel through the ConnectWise Trust Center,” ConnectWise warned in a safety advice.
“There is no evidence that these vulnerabilities have been exploited in the wild, but immediate action must be taken by local partners to address these identified security risks.”
No data theft (yet).
Given the severity of the discovered vulnerabilities, ConnectWise has urged its customers to apply the patch without delay. At the same time, security researchers are taking action, and some are even describing the findings as an unmitigated disaster, both for ConnectWise and its customers.
The CVEs for the two flaws have yet to be assigned, but we do know that they affect all servers running ScreenConnect 23.9.7 and older. They enable threat actors to conduct Remote Code Execution (RCE) attacks or steal confidential data from vulnerable endpoints. The attacks that exploit the flaws are low in complexity and require no user interaction.
In a subsequent update, the company said it “received updates of compromised accounts that our incident response team was able to investigate and confirm.”
A company spokesperson said this TechCrunch It could not say how many customers were affected, but did emphasize that the majority of its customers (80%) use cloud-based environments that were patched within two days.
So far, the company has also seen no evidence of data exfiltration.
The news is the latest security vulnerability for ConnectWise, which also discovered multiple vulnerabilities in its remote access solutions for small and medium-sized businesses (SMBs) earlier this year.