ConnectWise has launched software program updates to deal with two security flaws in its ScreenConnect distant desktop and entry software program, together with a important bug that might allow distant code execution on affected techniques.
The vulnerabilities, which at the moment lack CVE identifiers, are listed under –
- Authentication bypass utilizing an alternate path or channel (CVSS rating: 10.0)
- Improper limitation of a pathname to a restricted listing aka “path traversal” (CVSS rating: 8.4)
The corporate deemed the severity of the problems as important, citing they “may permit the power to execute distant code or immediately influence confidential information or important techniques.”
Each the vulnerabilities influence ScreenConnect variations 23.9.7 and prior, with fixes obtainable in model 23.9.8. The issues had been reported to the corporate on February 13, 2024.
Whereas there isn’t any proof that the shortcomings have been exploited within the wild, customers who’re operating self-hosted or on-premise variations are beneficial to replace to the most recent model as quickly as attainable.
“ConnectWise may even present up to date variations of releases 22.4 by means of 23.9.7 for the important situation, however strongly suggest that companions replace to ScreenConnect model 23.9.8,” ConnectWise mentioned.