Security News > 2022 > October > ConnectWise backup solutions open to RCE, patch ASAP!
ConnectWise has fixed a critical vulnerability in ConnectWise Recover and R1Soft Server Backup Manager that could allow attackers to achieve remote code exection or access confidential data.
The company advises users to patch as soon as possible, as the vulnerability is "Either being targeted or have a higher risk of being targeted by exploits in the wild."
ConnectWise Recover is a backup solution for small businesses, and R1Soft Server Backup Manager is a solution popular with service providers.
The vulnerability is an authentication bypass bug that arose from improper neutralization of special elements in output used by a downstream component.
"Affected ConnectWise Recover SBMs have automatically been updated to the latest version of Recover," the company noted, while R1Soft users should upgrade to v6.16.4 by following the instructions delineated here.
Huntress CEO Kyle Hanslovan has announced they will be publishing a write-up detailing how the vulnerability could be exploited to push ransomware onto the 4,800+ R1Soft servers exposed on the internet.
News URL
https://www.helpnetsecurity.com/2022/10/31/connectwise-backup-rce/
Related news
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)