ConnectWise Security Updates – 21 February 2024

The addressed vulnerabilities could allow the remote attacker to bypass security restrictions and obtain administrative access, or traverse directories and obtain sensitive information by sending a specially crafted URL request containing “dot dot” sequences (/../) to view arbitrary files on the affected system.

The addressed vulnerabilities:

1. CWE-288: ConnectWise ScreenConnect Security Bypass Vulnerability:

• CVSS: 10
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Consequences: Bypass Security

2. CWE-22: ConnectWise ScreenConnect Directory Traversal Vulnerability:

• CVSS: 8.4
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: High
• User Interaction: Required
• Consequences: Obtain Information