I Need IT Support Now
Blog

Discover expert insights, industry trends, and practical tips to optimize your IT infrastructure and boost business efficiency with our comprehensive blog.

BOOK A FREE CONSULTATION 281-269-6506
CinchOps Blog Banner image
Managed IT Houston
Shane

ConnectWise Patches Critical ViewState RCE Vulnerability in ScreenConnect

CinchOps Security Advisory: ScreenConnect ViewState Vulnerability Patched

ConnectWise Patches Critical ViewState RCE Vulnerability in ScreenConnect

ConnectWise has released an urgent security patch addressing a high-risk vulnerability in their ScreenConnect remote access solution. The vulnerability, rated at CVSS 8.8, affects on-premises installations of ScreenConnect version 25.2.3 and earlier.

 Understanding the ViewState RCE Vulnerability

The vulnerability is linked to the ViewState mechanism in ASP.NET Web Forms, which ScreenConnect uses to maintain page state. Attackers who gain access to server machine keys could craft malicious ViewState data, potentially leading to remote code execution. This sophisticated attack requires privileged system-level access, but if successful, could compromise the entire server environment and connected systems.

This critical vulnerability follows previous security issues in ScreenConnect. Earlier this year, ConnectWise addressed two other critical vulnerabilities (CVE-2024-1708 and CVE-2024-1709) that were actively exploited in the wild.

 Severity Rating

The ViewState vulnerability carries a CVSS rating of 8.8 (High), indicating significant risk to affected systems. While this rating is slightly lower than the critical 10.0 score assigned to the February 2024 authentication bypass vulnerability (CVE-2024-1709), it still demands immediate attention from system administrators.
 Exploitation MethodsThe ViewState vulnerability exploitation is complex but dangerous. An attacker would need to:
  • First gain privileged access to the server hosting ScreenConnect
  • Access the server’s machine keys
  • Use those keys to craft malicious ViewState data
  • Execute remote code on the compromised server

Unlike the previous vulnerabilities which could be exploited by unauthenticated users, this vulnerability requires initial access to the system, making it less likely to be exploited at scale but still concerning for targeted attacks. Threat ActorsWhile there’s no specific attribution for attempts to exploit this vulnerability, the ScreenConnect platform has been a target for various threat actors in the past. The February 2024 vulnerabilities were exploited by multiple malicious groups, including ransomware operators.Remote Management Tools (RMMs) like ScreenConnect are high-value targets for attackers because they often provide direct access to numerous client systems from a single compromise. This “one-to-many” relationship makes them especially attractive for actors seeking to maximize impact. Who is at RiskAll users and administrators running on-premises installations of ScreenConnect version 25.2.3 or earlier are affected by this vulnerability. Cloud-hosted ScreenConnect users are not affected, as ConnectWise has already applied the necessary patch to all cloud instances.Organizations particularly at risk include:

  • Managed Service Providers (MSPs) using ScreenConnect to support clients
  • IT departments leveraging on-premise ScreenConnect for remote support
  • Organizations that have not maintained regular update schedules for their ScreenConnect installations
  • Environments where ScreenConnect servers are exposed to the internet

 Remediation StepsConnectWise has taken several important steps to address this vulnerability:They have released version 25.2.4, which disables ViewState and removes its dependencies, effectively closing the vulnerability. All cloud-hosted servers have been automatically updated, and they are providing ongoing monitoring for suspicious activity.For affected organizations, the remediation steps depend on your current situation:For Organizations with Active Maintenance: Upgrade immediately to version 25.2.4 for the latest security, bug fixes, and enhancements. The recommended upgrade path is: 22.8 → 23.3 → 25.2.4 (follow this sequence for a successful update).For Organizations with Expired Maintenance: Renew your maintenance agreement and upgrade to version 25.2.4 for full protection. If you choose not to renew, free security patches are available for versions back to 23.9. You can upgrade to 23.9 at no cost and apply the patch.For Self-Hosted Instances Not Under Maintenance: Upgrade to 23.9 at no additional charge, then apply the latest security patch. Beyond Patching: Additional Security MeasuresWhile patching is the most critical step, organizations should also implement these additional security measures:

  • Network Segmentation: Limit access to ScreenConnect servers using network segmentation and firewall rules.
  • Strong Authentication: Implement multi-factor authentication for all ScreenConnect administrator accounts.
  • Security Monitoring: Deploy monitoring solutions to detect unusual activities within your ScreenConnect environment.
  • Regular Audits: Conduct regular security audits of your remote access infrastructure.
  • Endpoint Protection: Ensure endpoints accessed via ScreenConnect have proper security controls.

How CinchOps Can Help Secure Your BusinessAt CinchOps, we understand the critical nature of vulnerabilities like those affecting ScreenConnect. With over three decades of experience managing complex IT systems, we’ve seen firsthand how remote access tools can become prime targets for attackers.Our managed IT security services include:

  • Vulnerability Management: Proactive identification and remediation of security vulnerabilities before they can be exploited.
  • 24/7 Security Monitoring: Continuous monitoring of your systems for suspicious activities.
  • Patch Management: Timely application of critical security updates across your infrastructure.
  • Security Assessments: Comprehensive evaluation of your security posture to identify and address weaknesses.
  • Incident Response: Rapid response to security incidents to minimize impact and restore operations.

Don’t let vulnerabilities in your remote access tools put your business at risk. Contact CinchOps today to learn how our managed IT security services can help protect your organization from evolving threats.Managed IT Houston  Discover More  Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Patching Vulnerabilities Faster: The Key to Reducing Cyber Risk
For Additional Information on this topic: Critical ScreenConnect Vulnerability Let Attackers Inject Malicious Code
Managed IT Houston

BLOG

Latest News & Articles

Managed IT Houston
Insights for Houston Healthcare Providers: Kettering Health Ransomware Cyberattack

Building Resilience Against Healthcare Cyber Threats: Understanding Ransomware Response and Recovery

 
Managed IT Houston - Cybersecurity
BitLocker Encryption Bypassed in Minutes: The Bitpixie Attack

BitLocker Vulnerability Exposes Critical Flaw in Default Encryption Settings – 5 Minutes to Decrypt

Take Your IT to the Next Level!

Book A Consultation for a Free Managed IT Quote

BOOK A FREE CONSULTATION
281-269-6506

Subscribe to Our Newsletter