US-based software company ConnectWise has released security updates to address two vulnerabilities in its SmartConnect remote access tool, one of which appears to be under active exploitation.
The both flaws currently have no CVE identifiers. The zero-day flaw in question is described as an authentication bypass issue, which can allow a remote non-authenticated attacker can bypass the authentication process and gain full access to the system.
Initially, ConnectWise said that there was no indication that the vulnerabilities have been exploited in the wild. However, on February 20, the company updated its security advisory to say that “we received updates of compromised accounts that our incident response team have been able to investigate and confirm.”
ConnectWise has also shared the “IP addresses were recently used by threat actors” (155.133.5.15, 155.133.5.14, 118.69.65.60).
The second flaw is a path traversal issue, which exists due to an input validation error when processing directory traversal sequences. A remote privileged user can send a specially crafted HTTP request and read arbitrary files on the system.
The vulnerabilities affect ScreenConnect 23.9.7 and prior.
Cybersecurity firm Huntress said it was able to reproduce a proof-of-concept exploit for the flaws and that it found a way to temporarily hot-fix vulnerable systems. The company has also released detection guidance to identify and thwart attacks.
Software tools made by ConnectWise have been abused in the past by threat actors for nefarious purposes. In October 2022, threat actors launched a widespread phishing campaign to deploy legitimate remote monitoring and management (RMM) software such as ScreenConnect (ConnectWise Control) and AnyDesk on victims’ systems and steal money from victims’ bank accounts.