Ransomware Warning as CVSS 10.0 ScreenConnect Bug is Exploited

IT admins have been urged to patch any on-premises ScreenConnect servers immediately, after reports that a recently published maximum severity vulnerability is being exploited in the wild.

CVE-2024-1709 is an authentication bypass bug which has been given a CVSS score of 10.0. It can be exploited without user interaction to execute arbitrary code and access sensitive data in low-complexity attacks.

ConnectWise, the maker of the remote desktop software application, also revealed a path traversal vulnerability with a CVSS score of 8.4 – subsequently labelled CVE-2024-1708.

Cloud customers have already had their instances updated, but on-premises customers must take action.

Read more on ScreenConnect: CISA Warns Against Malicious Use of Legitimate RMM Software

“Partners that are self-hosted or on-premises need to update their servers to version 23.9.8 immediately to apply a patch,” the vendor said. “We’ve received notifications of suspicious activity that our incident response team has investigated.”

Separately, Huntress CEO, Kyle Hanslovan, cited a US intelligence source as saying that initial access brokers currently exploiting the CVSS 10.0 bug will inevitably sell to ransomware actors.

“The sheer prevalence of this software and the access afforded by this vulnerability signals we are on the cusp of a ransomware free-for-all. Hospitals, critical infrastructure, and state institutions are proven at risk,” he warned.

“With remote access software, the bad guys can push ransomware as easily as the good guys can push a patch. And once they start pushing their data encryptors, I’d be willing to bet 90% of preventative security software won’t catch it because it’s coming from a trusted source.”

The Shadowserver Foundation claimed in a tweet yesterday that around 3800 ConnectWise ScreenConnect instances are still vulnerable to exploitation of both bugs.