On February 13, 2024, details of critical vulnerabilities affecting ScreenConnect versions 23.9.7 and prior were released via the ConnectWise Trust Center. These vulnerabilities have been described with MITRE Common Weakness Enumeration entries CWE-288 (Authentication bypass using an alternate path or channel) and CWE-22 (Improper limitation of a pathname to a restricted directory (“path traversal”)) and could allow the ability for an unauthenticated attacker to execute remote code. At this time, there is no evidence that these vulnerabilities have been exploited in the wild and no PoC has been publicly released.
Immediate action must be taken by those using the on-premise distribution of this software to address these identified security risks by updating their servers to version 23.9.8. Although ConnectWise has stated that they intend on also providing updated versions of releases 22.4 through 23.9.7 for the critical issue, it is strongly recommended to update to ScreenConnect version 23.9.8. For more information on upgrading an on-premise server, please see https://docs.connectwise.com/ConnectWise_ScreenConnect_Documentation/On-premises/Get_started_with_ConnectWise_ScreenConnect_On-Premise/Upgrade_an_on-premises_installation. A download of the patched version of this software can be found here: https://screenconnect.connectwise.com/download.
For users of the cloud-based ScreenConnect servers hosted at “screenconnect.com” cloud or “hostedrmm.com”, there is no need for any action as these have been updated by ConnectWise to remediate the issue.
