Updated 12:42 GMT to correct exposed vulnerable instances number.
A critical bug in remote access software that is widely used by Managed Service Providers (MSPs) to manage tens of millions of downstream customer endpoints is being exploited in the wild – with the full-fat CVSS 10 ScreenConnect vulnerability “extremely trivial” to exploit.
The vulnerability is in ConnectWise’s ScreenConnect software and the company, as well as White Hats from the security community, has been scrambling to get customers alerted and patched since January 19. ConnectWise said it has also contacted CISA to help nudge customers.
But many on a MSP Reddit said they had yet to be contacted with several already locked out of admin accounts in the wake of apparent compromise. Approximately 3,800 instances are believed to be publicly exposed – these are managing a vast multiple of downstream endpoints.
The authentication bypass vulnerability, which does not yet have a CVE allocated, was disclosed to ConnectWise on February 13 via its disclosure channel. The Florida-based company pushed a patch six days later. watchTowr published a proof-of-concept exploit early February 21.
The ScreenConnect vulnerability affects on-premises/self-hosted deployments (23.9.7 and earlier). ConnectWise said that it has patched cloud-based versions (also vulnerable) but some cloud customers said early Wednesday in a discussion thread on the /r/MSP Reddit that they had not seen automatic updates, nor been contacted by the company.
See also - Five Eyes: Customers should ask these 8 things of their MSPs
Security professionals at Huntress warned that they have seen “quite a few folks who had [ScreenConnect] server components on their workstations - make sure you don’t fall in that category!” (i.e. just because you only have a client, not server installation, don't assume you're immune.)
ScreenConnect is often used to manage multiple endpoints/servers in an internal network – it can support instances with up to 150,000 endpoints. A 2023 CRN article suggested that MSPs working with the company now serve over one million small business customers alone with over 11.4 million endpoints, before factoring in larger enterprise customers.
Security researchers at Huntress confirmed “server-side RCE w/ability to pivot to endpoints” – attacks have now started and look set to escalate.
ConnectWise on February 21 said it was already seeing attacks from:
- 155.133.5.15
- 155.133.5.14
- 118.69.65.60
Perhaps needless to say, do not assume these are the only IOCs to look for. Any half-capable attacker will be rotating IPs rapidly.
A Reddit thread for MSPs suggested that many were seeing troubling activity like accounts being locked out before disclosure of active exploitation suggesting it may have already been happening and any ConnectWise user should start assessing systems for potential breach.
Cybersecurity company Huntress’s John Hammond noted on X: “It's a little too early to tell, but a handful of ScreenConnect instances that we saw previously responsive & functioning with normal interactivity, now seem to exhibit some different behavior…” adding: “I can't say anything for certain, but it makes me a little nervous there might be active exploitation attempts across common AWS IP space. Happening like, right now.”
