Security experts have raised the alarm over a critical vulnerability in ConnectWise ScreenConnect, a widely used remote access tool, which they describe as “trivial and embarrassingly easy” to exploit. According to TechCrunch, this flaw, with the highest severity rating, poses a significant risk because it allows authentication bypasses that could allow attackers to remotely access and steal sensitive data or deploy malware on affected systems. As confirmed by ConnectWise, the software developer, malicious hackers are actively exploiting this flaw, posing a significant threat to data security and system integrity.
Despite initial assurances that there was no public exploitation, the company later confirmed incidents of compromised accounts following an investigation by their incident response team. ConnectWise also identified and shared the IP addresses associated with the attackers.
The vulnerability, which affects a tool essential for IT service providers and remote support technicians, was first reported to ConnectWise on February 13, and the company disclosed it in a security advisory on February 19. While the exact number of affected users remains undisclosed, ConnectWise spokeswoman Amanda Lee mentioned “limited reports” of possible intrusions, adding that 80% of their cloud-based customer environments were patched automatically within 48 hours.
Huntress, a cybersecurity firm, published analysis that indicates continued exploitation of this vulnerability, with adversaries placing Cobalt Strike beacons and even installing ScreenConnect clients on compromised servers. Huntress CEO Kyle Hanslovan highlighted the seriousness of the situation, estimating that thousands of servers controlling numerous endpoints remain vulnerable, potentially leading to an increase in ransomware attacks.
ConnectWise has issued a patch for the vulnerability and urges users, especially those with on-premise installations of ScreenConnect, to apply the update immediately. The company has also addressed a separate vulnerability in its remote desktop software, but has not seen any exploits of the flaw.
