ConnectWise Releases Software Updates to Fix Critical Vulnerability in ScreenConnect
ConnectWise has announced the release of software updates to address two security flaws in its ScreenConnect remote desktop and access software, with one of the bugs being classified as critical.
The vulnerabilities, which are currently lacking CVE identifiers, include an authentication bypass using an alternate path or channel with a CVSS score of 10.0, and an improper limitation of a pathname to a restricted directory, also known as “path traversal,” with a CVSS score of 8.4.
ConnectWise has described the severity of the issues as critical, stating that they “could allow the ability to execute remote code or directly impact confidential data or critical systems.”
The security flaws impact ScreenConnect versions 23.9.7 and prior, and users are advised to update to the latest version, 23.9.8, as soon as possible. The company reported that the flaws were brought to their attention on February 13, 2024.
Although there is no evidence of the vulnerabilities being exploited in the wild, ConnectWise is recommending that users running self-hosted or on-premise versions update to the latest version as a precaution.
In addition to providing updated versions of releases 22.4 through 23.9.7 for the critical issue, ConnectWise strongly advises partners to update to ScreenConnect version 23.9.8.
This article was originally published on The Hacker News.
