Security experts have raised alarms over a critical vulnerability in ConnectWise ScreenConnect, a widely used remote access tool, which they describe as “trivial and embarrassingly easy” to exploit. According to TechCrunch, this flaw, with the highest severity rating, poses a significant risk as it allows for an authentication bypass that could enable attackers to remotely access and steal sensitive data or deploy malware on affected systems. As confirmed by the ConnectWise, the software’s developer, malicious hackers are actively exploiting this flaw, posing a significant threat to data security and system integrity.
Despite initial assurances of no public exploitation, the company later confirmed incidents of compromised accounts following an investigation by their incident response team. ConnectWise has also identified and shared IP addresses linked to the attackers.
The vulnerability, impacting a tool essential for IT providers and technicians to offer remote support, was first reported to ConnectWise on February 13, with the company disclosing it in a security advisory on Feb. 19. Although the exact number of affected customers remains undisclosed, ConnectWise spokesperson Amanda Lee mentioned “limited reports” of suspected intrusions, adding that 80% of their cloud-based customer environments were patched automatically within 48 hours.
Huntress, a cybersecurity firm, published an analysis indicating ongoing exploitation of this flaw, with adversaries deploying Cobalt Strike beacons and even installing ScreenConnect clients on compromised servers. Huntress CEO Kyle Hanslovan highlighted the severity of the situation, estimating that thousands of servers controlling numerous endpoints remain vulnerable, potentially leading to a surge in ransomware attacks.
ConnectWise has issued a patch for the vulnerability and is urging users, especially those with on-premise ScreenConnect installations, to apply the update promptly. The company also addressed a separate vulnerability in its remote desktop software but has not observed any exploitation of this flaw.