Analytics Story: ConnectWise ScreenConnect Vulnerabilities
Description
This analytic story provides a comprehensive overview of the ConnectWise ScreenConnect vulnerabilities.
Why it matters
The following analytic story includes content for recently disclosed CWE-288 Authentication Bypass and CWE-22 Path Traversal. The vulnerabilities, identified as critical with CVSS scores of 10 and 9.8, respectively, enable unauthorized users to bypass authentication and perform path traversal attacks on affected ScreenConnect instances. The analytic story includes detection analytics for both vulnerabilities, which are crucial for identifying and responding to active exploitation in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issues, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. The analytic story also includes guidance on how to implement the detection analytics, known false positives, and references to additional resources for further analysis and remediation.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Nginx Access | N/A | nginx:plus:kv |
/var/log/nginx/access.log |
| Suricata | N/A | suricata |
suricata |
| Sysmon EventID 11 |  Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4663 | Windows |
xmlwineventlog |
XmlWinEventLog:Security |
References
- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
- https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
Source: GitHub | Version: 1