23.8.5

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

connectwise

critical

NVD

Published: 2024-02-21

Updated: 2024-02-23

Summary

ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.

Vulnerable Configurations

Part	Description	Count
Application	Connectwise Connectwise Screenconnect 23.8.4 Connectwise Screenconnect 23.8.5	2

References

https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
https://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8
https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2
https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/
https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc
https://github.com/rapid7/metasploit-framework/pull/18870
https://www.horizon3.ai/attack-research/red-team/connectwise-screenconnect-auth-bypass-deep-dive/
https://techcrunch.com/2024/02/21/researchers-warn-high-risk-connectwise-flaw-under-attack-is-embarrassingly-easy-to-exploit/
https://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation/
https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass

Summary

Vulnerable Configurations

Related news

References