Vulnerabilities > CVE-2022-36781 - Improper Restriction of Excessive Authentication Attempts vulnerability in Connectwise Screenconnect

CVSS 5.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

low complexity

connectwise

CWE-307

NVD

Published: 2022-09-28

Updated: 2024-03-19

Summary

ConnectWise ScreenConnect versions 22.6 and below contained a flaw allowing potential brute force attacks on custom access tokens due to inadequate rate-limiting controls in the default configuration. Attackers could exploit this vulnerability to gain unauthorized access by repeatedly attempting access code combinations. ConnectWise has addressed this issue in later versions by implementing rate-limiting controls as a preventive measure against brute force attacks.

Vulnerable Configurations

Part	Description	Count
Application	Connectwise Connectwise Screenconnect *	1

Common Weakness Enumeration (CWE)

CWE-307 - Improper Restriction of Excessive Authentication Attempts

References

https://www.gov.il/en/Departments/faq/cve_advisories