ConnectWise, the leading remote access platform, has confirmed that it has found and patched two critical security vulnerabilities in its ScreenConnect product.
“The vulnerabilities were reported on February 13, 2024 via our vulnerability disclosure channel through the ConnectWise Trust Center,” ConnectWise warned in a security advisory.
“There is no evidence that these vulnerabilities have been exploited in the wild, but local partners should take immediate steps to address these identified security risks.”
No data theft (yet)
Given the severity of the vulnerabilities discovered, ConnectWise has urged its customers to apply the patch without delay. At the same time, security researchers are up in arms, with some even describing the findings as a complete disaster, both for ConnectWise and its customers.
CVEs for the two flaws have not yet been assigned, but we know they are affecting all servers running ScreenConnect 23.9.7 and earlier. They allow threat actors to mount remote code execution (RCE) attacks or capture sensitive data from vulnerable endpoints. Attacks that exploit the flaws are low complexity and do not require user interaction.
In a later update, the company said it “received updates of compromised accounts that our incident response team was able to investigate and confirm.”
A company spokesperson said TechCrunch It could not say how many customers were affected, but highlighted that the majority of its customers (80%) use cloud-based environments that were patched within two days.
So far, the company has also not seen evidence of a data breach.
The news is the latest security concern for ConnectWise, which also found multiple vulnerabilities in its remote access solutions for small and medium-sized businesses (SMBs) earlier this year.
