Security News > 2022 > October > ConnectWise backup solutions open to RCE, patch ASAP!

ConnectWise has fixed a critical vulnerability in ConnectWise Recover and R1Soft Server Backup Manager that could allow attackers to achieve remote code exection or access confidential data.

The company advises users to patch as soon as possible, as the vulnerability is "Either being targeted or have a higher risk of being targeted by exploits in the wild."

ConnectWise Recover is a backup solution for small businesses, and R1Soft Server Backup Manager is a solution popular with service providers.

The vulnerability is an authentication bypass bug that arose from improper neutralization of special elements in output used by a downstream component.

"Affected ConnectWise Recover SBMs have automatically been updated to the latest version of Recover," the company noted, while R1Soft users should upgrade to v6.16.4 by following the instructions delineated here.

Huntress CEO Kyle Hanslovan has announced they will be publishing a write-up detailing how the vulnerability could be exploited to push ransomware onto the 4,800+ R1Soft servers exposed on the internet.

News URL

https://www.helpnetsecurity.com/2022/10/31/connectwise-backup-rce/