ConnectWise ScreenConnect has been found to carry a high severity zeroday vulnerability which allows threat actors to mount devastating attacks against endpoints.
The flaw was detected and reported to ConnectWise by cybersecurity researchers from Gotham Security.
“If the vulnerabilities were left unaddressed, bad actors would have been able to gain access to all workstations and servers with ScreenConnect from a local network and then escalate their privileges to be local administrators on the affected systems,” the researchers explained, suggesting that no threat actors managed to exploit the flaw in the wild.
ScreenConnect is a cloudbased operations management solution that allows technicians to perform remote support, gain remote access and run remote meetings. Essentially, it’s a remote access tool used, according to Gotham Security, by tens of thousands of enterprise customers.
Remote access tools are often a target by cybercriminals who use it to gain an initial foothold into the victim’s network and deploy more dangerous malware.
In midNovember 2023, cybersecurity researchers from Huntress warned that attacks using TDS’ instance of ScreenConnect were about to escalate, mostly against healthcare organizations in the US. The researchers said hackers somehow obtained access to these instances and were using them to drop malware to endpoints belonging to two distinct organizations: one in the pharmaceutical sector and the other in healthcare. The only thing they have in common, the researchers stressed, is the ScreenConnect instance, as both endpoints are a Windows Server 2019 system.
In April last year, researchers observed hackers using Action1 RMM, an otherwise benign remote desktop monitoring and management solution, in their campaigns.
After it was made aware of the vulnerability, ConnectWise released a patch, which is now available for download.