BrianKrebsFeb 21, 2024

Heads up to people/orgs running ConnectWise ScreenConnect. There is a bad-as-it-gets bug being exploited right now that is basically no-tech hacking to gain remote admin access. Patch now if you haven't already.

ConnectWise's advisory on the vulnerabilities and exploitation is here:

https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8

A working proof of concept for this attack:

https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc

Huntress does a good job dissecting the ConnectWise advisory and showing the exploit in action.

https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass

https://www.youtube.com/watch?v=AWGoGO5jnvY

@wdormann sums up the technical capabilities needed to exploit this flaw:

"Apparently the exploit is to add a '/' to the end of the URI.
That's it."

https://infosec.exchange/@wdormann/111969450560709377

Show threadDr. Christopher KunzFeb 21, 2024
@briankrebs @wdormann That bug is just... hilarious. I remember having all kinds of shit in PHP due to their PATH_INFO support back in the 2000s/2010s. Not much has changed...
Show threadWill Dormann
@christopherkunz @briankrebs
If you made a product 20 years ago and are still able to sell it, that's all you need to worry about.
Collecting money. 😂
Yes this is a subtweet.
Feb 21, 2024 at 2:28pmWeb