ConnectWise remote access software needs immediate patching, company says

IT management software company ConnectWise is urging users to update self-hosted versions of its ScreenConnect product “immediately” because of critical bugs that can allow easy intrusions by outsiders.

In its latest update to a security bulletin on the issue, the company says it has “received updates of compromised accounts that our incident response team have been able to investigate and confirm.” One of the vulnerabilities was disclosed with a CVSS score of 10, the highest possible.

ScreenConnect allows for secure remote desktop access and mobile device support. ConnectWise says the cloud-based versions of the software have been patched, but any organization running an on-premises or a self-hosted version should “immediately” update it.

Exploiting the bugs “is trivial and embarrassingly easy” according to a blog post by cybersecurity company Huntress. Attackers can remotely execute code on a compromised network.

Cybersecurity company watchTowr also posted a proof of concept on the GitHub repository that shows how exploitation could occur.

ConnectWise initially published an advisory, thin on details, on Monday. Huntress said that once it had recreated the exploit and attack chain, it was “too dangerous for this information to be readily available to threat actors,” but the company decided to “spill the beans” on Wednesday once other vendors published information.

The researchers summarized how an attack might occur in a 34-second video.