External risk intelligence

ConnectWise ScreenConnect vulnerability allows attackers to run code or steal data

CVE advisoryKnown Exploit

CVE-2024-1708

ConnectWise ScreenConnect has a serious flaw that lets attackers run their own code or steal sensitive data, impacting critical systems. This needs immediate attention as it's being actively exploited.

5Halo Surface Signal

Path Traversal

Connectwise Screenconnect

before 23.9.8

External exposure likelihood

Halo Surface Signal score for CVE-2024-1708

ConnectWise ScreenConnect is a remote access and management solution designed to be network-accessible. In common deployments, these services are exposed to the internet to facilitate remote support and device management, placing the vulnerable interface directly on the network edge.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in ConnectWise ScreenConnect could allow an attacker to execute code remotely or access sensitive data. Teams should pay close attention because this could directly impact critical systems.

  • Attackers can impact confidential data.
  • Attackers can impact critical systems.
  • Remote code execution is possible.

Attack Path

How an attacker could exploit the issue

An authenticated attacker could exploit this path-traversal vulnerability to execute arbitrary code or access sensitive data. The attacker would first need to gain authenticated access to a vulnerable ScreenConnect instance. They could then craft a malicious request to navigate the file system, potentially overwriting critical files or executing commands.

  • Requires authenticated access.
  • Targets the ScreenConnect application.
  • Exploits path traversal to gain code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in ConnectWise ScreenConnect has been weaponized and is being actively exploited, with indications of ransomware campaigns utilizing it. The nature of the flaw allows for significant impact, making it a prime target for attackers seeking to gain unauthorized access or steal sensitive information.

  • Listed on KEV catalog.
  • Exploited in ransomware.
  • Recent exploitation signals.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate containment and patching for ConnectWise ScreenConnect versions prior to 23.9.8 due to active exploitation and high impact. Review logs for indicators of compromise and isolate affected systems if patching cannot be immediately applied to prevent further unauthorized access or data breaches.

  • Update to version 23.9.8 or later.
  • Isolate affected systems from the network.
  • Monitor for unauthorized access attempts.

Frequently asked questions

What is ConnectWise ScreenConnect and how is it used?

ConnectWise ScreenConnect is a remote access and management software utilized by IT professionals to provide remote support to clients, manage servers, and access unattended workstations.

What type of weakness does CVE-2024-1708 represent?

CVE-2024-1708 is a path-traversal vulnerability. This weakness allows an attacker to potentially access files and directories that they should not have access to, which could lead to the execution of code or unauthorized access to sensitive data.

What is required for an attacker to exploit this vulnerability?

To exploit this path-traversal vulnerability, an attacker must first gain authenticated access to a vulnerable ScreenConnect instance. After authentication, they can then craft a malicious request to traverse the file system, potentially leading to code execution or data compromise.

What is the relevance of CVE-2024-1708 to current threats, considering Halo Surface Signal?

Halo Surface Signal indicates that ConnectWise ScreenConnect is a remote access solution often exposed to the internet, making it a prime target. This vulnerability has been weaponized and is actively exploited, including in ransomware campaigns, and is listed on the Known Exploited Vulnerabilities catalog.

What are the recommended actions to address this vulnerability?

It is crucial to immediately patch ConnectWise ScreenConnect to version 23.9.8 or later, as versions prior to this are affected. If immediate patching is not possible, isolate affected systems from the network to prevent further unauthorized access or data breaches. Monitoring for signs of compromise is also recommended.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified