Security News > 2024 > February > Exploiting the latest max-severity ConnectWise bug is 'embarrassingly easy'

Infosec researchers say urgent patching of the latest remote code execution vulnerability in ConnectWise's ScreenConnect is required given its maximum severity score.

In disclosing the maximum-severity authentication bypass vulnerability, ConnectWise also revealed a second weakness - a path traversal flaw with an 8.4 severity rating.

At the start of this working week, researchers at Huntress were also able to develop a working exploit using both vulnerabilities, but decided to hold off publishing details at the time because there was no evidence of them being used in active attacks.

Since attacks were later confirmed to be taking place by ConnectWise, Huntress released its full analysis of the vulnerabilities, along with a proof-of-concept exploit.

The path traversal vulnerability can also lead to Zip Slip attacks, the researchers said, but would require an attacker to have admin-level access in order to achieve RCE with it.

Zoom stomps critical privilege escalation bug plus 6 other flaws QNAP vulnerability disclosure ends up an utter shambles Ivanti discloses fifth vulnerability, doesn't credit researchers who found it Fortinet's week to forget: Critical vulns, disclosure screw-ups, and that toothbrush DDoS attack claim.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/02/21/connectwise_max_severity_bug/