Dear Secureworks customer,

On February 19, 2024, ConnectWise disclosed two critical vulnerabilities in on-premises ScreenConnect servers, but they have not been assigned CVE identifiers as of this publication. The authentication bypass vulnerability (given a severity score of 10) is simple to exploit and does not require user interaction. Exploitation allows attackers to access confidential data or remotely execute arbitrary code on vulnerable servers. The path traversal vulnerability in ScreenConnect remote desktop software (given a severity score of 8.4) can only be exploited by attackers who have high privileges.

ConnectWise initially stated that there was no evidence of these vulnerabilities being exploited in the wild, although security firm Huntress created a proof-of-concept exploit to validate the vulnerabilities. After receiving reports of compromised accounts, ConnectWise updated its bulletin on February 20 to list three IP addresses used by the threat actors. Commercial internet survey datasets estimate that between 3,800 and 8,800 vulnerable systems are accessible via the internet as of this publication.

Recommended actions:

Secureworks(R) Counter Threat Unit(TM) (CTU) researchers recommend that customers review the vendor bulletin and upgrade vulnerable ScreenConnect servers as appropriate in their environments.

Secureworks actions:

The CTU(TM) research team is developing countermeasures to detect activity associated with this threat.

Questions:

If you have any questions or concerns about this advisory, please contact the SOC.