ConnectWise critical exploit, already in wild, is about to 'erupt'


A recently discovered ConnectWise level 10 CVSS vulnerability, affecting its ScreenConnect remote desktop and access software, is being exploited in the wild – and is expected to escalate in magnitude, according to researchers at Huntress Labs.

The researchers are urging the thousands of managed service providers (MSP) who use the self-hosted software to immediately patch their systems with an already released fix for the bug.

The Huntress threat ops team – the same team of researchers who broke the infamous MOVEit hacks carried out by the Clop ransom gang last May – estimates tens of thousands of servers managing hundreds of thousands of endpoints will become vulnerable to hackers gaining remote access to the systems.

Huntress Labs CEO Kyle Hanslovan said a "highly trusted connection within the US intelligence community" revealed the vulnerability "is already being exploited in the wild for initial access." and presumably that access will eventually be sold to ransomware groups.

“The biggest cybersecurity incident of 2024 is mere hours from erupting,” Hanslovan said about the potential fallout.

ConnectWise Control
ConnectWise is a global software company and IT solutions provider. ScreenConnect (formally ConnectControl) is one of the numerous managed service provider (MSP) platforms offered to clients.

"The sheer prevalence of this software and the access afforded by this vulnerability signals we are on the cusp of a ransomware free-for-all," Hanslovan warned.

"Hospitals, critical infrastructure, and state institutions are proven at risk," he said.

Two critical flaws

ConnectWise disclosed the two critical vulnerabilities on February 13th, although they were first discovered a month before.

The two vulnerabilities, with CVSS scores of 10 and 8.4, are listed as:

  • CWE-288 Authentication bypass using an alternate path or channel
  • CWE-22 Improper limitation of a pathname to a restricted directory (“path traversal”)

On February 19th, the team from Huntress Labs said it went ahead and "successfully re-created" a proof of concept (POC) to "validate the exploit" and "demonstrate its impact," now detailed in its "A Catastrophe for Control: Understanding the ScreenConnect Authentication Bypass" report.

ConnectWise has since remediated its cloud servers with the fix, and, in what Hanslovan called a 'bold move,' removed license restrictions for companies “no longer under maintenance” so they could upgrade to the latest software version for free.

Cybersecurity powderkeg

Huntress Labs says even with “crucial” warnings and free offers to update ASAP, ConnectWise clients have been slow to patch the flaws. “We worked through the night to take this vulnerability apart, fully understand how it works and recreate the exploit,” Hanslovan said.

“I can’t sugarcoat it – this shit is bad. We’re talking upwards of ten thousand servers that control hundreds of thousands of endpoints,” the CEO said.

Another team of security experts from the non-profit cybersecurity organization Shadowserver reported “3800 vulnerable ConnectWise ScreenConnect instances,” and estimated as of February 20th, there are still 93% instances out there still vulnerable, with most located in the United States.

ConnectWise states that indicators of compromise (IOCs) clients can incorporate into their cybersecurity monitoring platforms are “malicious activity or threats,” which can “detect and stop” cyberattacks, including malware and ransomware, and prevent a data breach.

The company released the following IP addresses already seen being used by threat actors to exploit the vulnerabilities:

  • 155.133.5.15
  • 155.133.5.14
  • 118.69.65.60

Temporary hot-fix created

Huntress Labs said while creating the POC report, they had also “identified a way to temporarily hot-fix vulnerable systems” giving time for administrators to patch them.

“We have proactively deployed a temporary hotfix to over 1000 vulnerable systems. It's crucial people still update to the latest official version ASAP,” it posted in a thread on X.

Additionally, the research lab said it had "sent over 1,600 incident reports to partners with ScreenConnect versions below 23.9.8.

"There’s a reckoning coming with dual-purpose software; like Huntress uncovered with MOVEit over the summer, the same seamless functionality it gives to IT teams, it also gives to hackers," said Hanslovan.

The CEO pointed out, “with remote access software, the bad guys can push ransomware as easily as the good guys can push a patch.”

“And once they start pushing their data encryptors, I’d be willing to bet 90% of preventative security software won’t catch it because it’s coming from a trusted source,” he said.

Currently, there are over 13,500 companies who use ConnectWise Software-as-a-Service (SaaS) products, about 70% of them located in the US, according to data by Enlyft.

To note, ScreenConnect was known as ConnectControl from 2017 to 2023.


More from Cybernews:

Google releases Gemma lightweight AI open models

LockBit crackdown heats up as US offers reward for info on hackers

ChatGPT returns gibberish for hours, users delight in the chaos

What happens to your phone when you pass away

Ukrainians bombarded with Russian PSYOPs, featuring “pigeon risotto” recipe

Subscribe to our newsletter

But Huntress Labs say even with “crucial” warnings and free offers to update ASAP, ConnectWise clients have been slow to patch the flaws.



Leave a Reply

Your email address will not be published. Required fields are markedmarked