PRODUCT: Huntress Managed Endpoint Detection and Response (EDR)
SUMMARY: Recommendations to patch and update ScreenConnect version 23.9.8
For on-premise users, we offer our strongest recommendation to patch and update to ScreenConnect version 23.9.8 immediately.
In this Article
What is Huntress Doing for Partners?
What Other Steps do I Need to Take?
What is Happening?
Huntress security researchers have successfully validated and created a proof-of-concept exploit for the vulnerabilities referenced in the latest ConnectWise ScreenConnect advisory. This advisory disclosed a Critical severity (CVSS 10) and high priority one risk. From our independent analysis, we have validated the authentication bypass and SYSTEM-level remote code execution against vulnerable ScreenConnect servers.
Please see our blogs for more details.
Vulnerability Reproduced: Immediately Patch ScreenConnect 23.9.8
Detection Guidance for ConnectWise CWE-288
A Catastrophe For Control: Understanding the ScreenConnect Authentication Bypass
You can also view our Reddit post here.
What is Huntress Doing for Partners?
We have sent over 1,600 incident reports to partners with ScreenConnect versions below 23.9.8 with directions and steps to patch hosts. We have also created documentation on finding ScreenConnect autoruns via the Huntress portal, which also discusses vulnerable server components we reported on and how to tell if you host has been successfully patched.
Huntress has also proactively addressed the recent ScreenConnect vulnerability by replacing a key vulnerable file with an updated version on all managed vulnerable ScreenConnect servers. This update mirrors the functionality of the official patch, effectively mitigating the risk posed by the vulnerability.
This mitigation is not a fix and hosts should still be patched properly to ensure proper protection is in place.
What Other Steps do I Need to Take?
- Consult the Official Advisory - For detailed guidance and the latest updates, refer to the official ScreenConnect advisory here.
- Install the Official Patch - For a permanent fix, download and install the official patch from ConnectWise.
My system has been compromised, but I only just started using Huntress/ don't currently use Huntress/ didn't get an alert. What steps can I take to prevent further activity?
Our current recommendations are as follows:
- Isolate any compromised Servers. The Huntress tool can be used for host and organization isolation.
- Restart or kill the following services to kill any ScreenConnect Sessions:
- ScreenConnect Web Server
- ScreenConnect Session Manager
- ScreenConnect Security Manager
- ScreenConnect Relay
- Reset any credentials the threat actor may have had access to
- Patch the server to the latest ScreenConnect version and follow any updates on the official ConnectWise advisory.
- Deploy Huntress to the environment for 24/7 monitoring of known malicious activity