21 February 2024

ConnectWise rolls out updates to fix two flaws, one actively exploited


ConnectWise rolls out updates to fix two flaws, one actively exploited

US-based software company ConnectWise has released security updates to address two vulnerabilities in its SmartConnect remote access tool, one of which appears to be under active exploitation.

The both flaws currently have no CVE identifiers. The zero-day flaw in question is described as an authentication bypass issue, which can allow a remote non-authenticated attacker can bypass the authentication process and gain full access to the system.

Initially, ConnectWise said that there was no indication that the vulnerabilities have been exploited in the wild. However, on February 20, the company updated its security advisory to say that “we received updates of compromised accounts that our incident response team have been able to investigate and confirm.”

ConnectWise has also shared the “IP addresses were recently used by threat actors” (155.133.5.15, 155.133.5.14, 118.69.65.60).

The second flaw is a path traversal issue, which exists due to an input validation error when processing directory traversal sequences. A remote privileged user can send a specially crafted HTTP request and read arbitrary files on the system.

The vulnerabilities affect ScreenConnect 23.9.7 and prior.

Cybersecurity firm Huntress said it was able to reproduce a proof-of-concept exploit for the flaws and that it found a way to temporarily hot-fix vulnerable systems. The company has also released detection guidance to identify and thwart attacks.

Software tools made by ConnectWise have been abused in the past by threat actors for nefarious purposes. In October 2022, threat actors launched a widespread phishing campaign to deploy legitimate remote monitoring and management (RMM) software such as ScreenConnect (ConnectWise Control) and AnyDesk on victims’ systems and steal money from victims’ bank accounts.

Back to the list

Latest Posts

Iranian hackers exploit RMM tools to deliver malware

Iranian hackers exploit RMM tools to deliver malware

One of the aspects of MuddyWater's strategy involves exploiting Atera's free trial offers.
24 April 2024
Ongoing malware campaign targets multiple industries, distributes infostealers

Ongoing malware campaign targets multiple industries, distributes infostealers

The campaign leverages a CDN cache domain as a download server, hosting malicious HTA files and payloads.
24 April 2024
US charges four Iranian hackers for cyber intrusions

US charges four Iranian hackers for cyber intrusions

The group targeted both both government and private entities.
24 April 2024