ConnectWise has released software updates to address two security flaws in its ScreenConnect remote access and desktop software, including a critical bug that could allow remote code execution on affected systems.
The vulnerabilities, which currently do not have CVE identifiers, are listed below:
- Bypass authentication using an alternate path or channel (CVSS score: 10.0)
- Improperly restricting a path name to a reserved directory, aka “path traversal” (CVSS score: 8.4)
The company deemed the severity of the issues critical, saying they “could enable the ability to execute remote code or directly impact sensitive data or critical systems.”
Both vulnerabilities impact ScreenConnect versions 23.9.7 and earlier, with fixes available in version 23.9.8. The defects were reported to the company on February 13, 2024.
While there is no evidence that the shortcomings have been massively exploited, users using self-hosted or on-premise versions are advised to upgrade to the latest version as soon as possible.
“ConnectWise will also provide updated versions 22.4 through 23.9.7 for the critical issue, but strongly recommends partners upgrade to ScreenConnect version 23.9.8,” ConnectWise said.