ConnectWise ScreenConnect, a widely-used remote access software, is facing a critical vulnerability that could expose sensitive data and allow the deployment of malicious code. Described as an authentication bypass flaw, the severity-rated vulnerability poses a significant risk to more than a million small to medium-sized businesses that rely on ConnectWise's remote access technology.
The flaw was initially reported to ConnectWise on February 13, with the company publicly disclosing details on February 19. The vulnerability enables attackers to bypass authentication, potentially leading to the remote theft of confidential data or the injection of malware into vulnerable servers. While ConnectWise initially stated there was no indication of public exploitation, recent updates confirm compromised accounts and active exploitation.
ConnectWise has not disclosed the exact number of affected customers, but it has seen "limited reports" of suspected intrusions. Approximately 80% of customer environments are cloud-based and were automatically patched within 48 hours. However, concerns persist, with cybersecurity firm Huntress reporting active exploitation and signs of threat actors moving towards more targeted post-exploitation and persistence mechanisms.
ConnectWise spokesperson Amanda Lee declined to comment on the number of affected customers but emphasized that there has been no reported data exfiltration. However, the situation is serious, with cybersecurity experts warning of potential widespread ransomware attacks given the extensive reach of ConnectWise's software.
Florida-based ConnectWise provides remote access technology to more than a million small to medium-sized businesses.
The vulnerability, actively exploited by threat actors, poses a significant risk to the security of these businesses. Cybersecurity company Huntress reported early signs of threat actors deploying Cobalt Strike beacons and installing a ScreenConnect client onto affected servers.
ConnectWise has released patches for the actively exploited vulnerability and is urging on-premise ScreenConnect users to apply the fix immediately.
Additionally, the company has addressed another vulnerability affecting its remote desktop software, for which there is no evidence of exploitation.
The incident comes in the wake of warnings from U.S. government agencies. These agencies observed a "widespread cyber campaign" involving the malicious use of legitimate remote monitoring and management (RMM) software, including ConnectWise SecureConnect.
The current vulnerability adds to concerns about the security of remote access solutions, following recent incidents involving AnyDesk, which had to reset passwords and revoke certificates due to evidence of compromised production systems.
ConnectWise is actively working to address the vulnerability, but the situation remains critical.
The potential for a large-scale ransomware free-for-all underscores the importance of swift action and heightened cybersecurity measures to protect businesses from the evolving threat landscape. Businesses relying on remote access solutions must prioritize security to mitigate the risks associated with vulnerabilities in widely-used software platforms.