Researchers caution that a high-risk ConnectWise vulnerability, currently under attack, is “embarrassingly easy” to exploit
A critical vulnerability has been discovered in ConnectWise ScreenConnect, a widely used remote access tool, which security experts warn is trivially exploitable and actively being used by malicious hackers. This vulnerability, rated as maximum severity, enables attackers to bypass authentication and potentially compromise servers or deploy malware.
ConnectWise was notified of the vulnerability on February 13 and subsequently disclosed details in a security advisory on February 19. Initially, the company stated there was no evidence of public exploitation. However, in a recent update, ConnectWise confirmed incidents of compromised accounts and provided IP addresses associated with threat actors.
ConnectWise has not disclosed the extent of the impact on its customers, but stated that approximately 80% of customer environments, which are cloud-based, received automatic patches within 48 hours. While the company has seen limited reports of suspected intrusions, the situation remains concerning due to the severity and ease of exploitation of the vulnerability.
ConnectWise has stated that there have been no reports of data exfiltration related to the exploited vulnerability. However, cybersecurity firm Huntress has confirmed active exploitation of the vulnerability, with indications of attackers deploying Cobalt Strike beacons and installing ScreenConnect clients on affected servers.
Huntress reports visibility into more than 1,600 vulnerable servers, highlighting the widespread impact of the vulnerability. Huntress CEO Kyle Hanslovan emphasized the severity of the situation, with potentially thousands of servers controlling hundreds of thousands of endpoints at risk of exploitation. He warned of the possibility of a surge in ransomware attacks due to the access provided by the vulnerability.
ConnectWise has released patches for both the actively exploited vulnerability and a separate vulnerability affecting its remote desktop software. The company urges users to apply the fixes immediately. This development comes after earlier warnings from U.S. government agencies about a widespread cyber campaign exploiting legitimate remote monitoring and management (RMM) software, including ConnectWise SecureConnect, to target federal civilian executive branch agencies.