Critical ConnectWise RMM Bug Poised for Exploitation Avalanche

Two days after disclosure, most instances of the remote desktop tool remain unpatched, while cyberattackers have started in-the-wild exploitation — and researchers warn it could get ugly, fast.

Users of the ConnectWise ScreenConnect remote desktop management tool are under active cyberattack, after a proof-of-concept (PoC) exploit surfaced for a max-critical security vulnerability in the platform. The situation has the potential to blow up into a mass compromise event, researchers are warning.
ScreenConnect can be used by tech support and others to authenticate to a machine as though they were the user. As such, it offers a conduit to threat actors looking to infiltrate high-value endpoints and any other areas of corporate networks to which they might have access.
In an advisory on Monday,
ConnectWise disclosed an authentication bypass
carrying a score of 10 out of 10 on the CVSS vulnerability severity scale; besides opening the front door to targeted desktops, it allows attackers to reach a second bug, also disclosed Monday, which is a path-traversal issue (CVSS 8.4) that allows unauthorized file access.
This vulnerability allows an attacker to create their own administrative user on the ScreenConnect server, giving them full control over the server, said James Horseman, Horizon3.ai exploit developer, in a blog today that
provides technical details on the auth bypass
and indicators of compromise (IoC). This vulnerability follows a theme of other recent vulnerabilities that allow attackers to reinitialize applications or create initial users after setup.
On Tuesday, ConnectWise updated its advisory to confirm active exploitation of the issues, which dont yet have CVEs: We received updates of compromised accounts that our incident response team have been able to investigate and confirm. It also added an extensive list of IoCs.
Meanwhile, Piotr Kijewski, CEO at the Shadowserver Foundation, confirmed seeing initial exploitation requests in the nonprofits honeypot sensors.
Check for signs of compromise (like new users added) and patch! he stressed via the Shadowserver mailing list, adding that as of Tuesday, a full 93% of ScreenConnect instances were still vulnerable (about 3,800 installations), most of them located in the US.
The vulnerabilities affect ScreenConnect versions 23.9.7 and earlier, and specifically affect self-hosted or on-premises installations; cloud customers hosting ScreenConnect servers on the screenconnect.com or hostedrmm.com domains are not affected.
While exploitation attempts are low-volume at the moment, Mike Walters, president and co-founder of Action1, said in emailed commentary that businesses should expect significant security implications from the ConnectWise bugs.
Walters, who also confirmed in-the-wild exploitation of the vulnerabilities, said to expect, potentially, thousands of compromised instances. But the issues also have the potential to blow up into a wide-ranging supply chain attack in which assailants infiltrate managed security service providers (MSSPs), then pivot to their business customers.
He explained, The massive attack exploiting these vulnerabilities may be similar to the
Kaseya vulnerability exploitation in 2021
, as ScreenConnect is a very popular [remote management and monitoring tool] RMM among MSPs and MSSPs, and could result in comparable damage.
So far, both Huntress researchers and researchers from the Horizon3 attack team have publicly released PoCs for the bugs, and others are sure to follow.
To protect themselves, ConnectWise SmartScreen admins should upgrade to version 23.9.8 immediately to patch their systems, then use the IoCs provided to hunt for signs of exploitation.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Critical ConnectWise RMM Bug Poised for Exploitation Avalanche