ConnectWise ScreenConnect 23.9.8 security fix

Once the vulnerability was validated on February 14, 2024, ConnectWise product security and engineering teams worked together to mitigate all cloud instances of ScreenConnect within 48 hours. We did so without requiring a version update. Then, we upgraded cloud instances to a later version for further hardening. As a result, partners within our hosted cloud environments were quickly secured against this critical vulnerability.  

Following industry best practices for patching strategy, an official upgraded package was released on February 19, 2024, for all on-prem ScreenConnect partners, and a security bulletin was posted to the ConnectWise Trust Center strongly urging partners patch their on-prem instances of ScreenConnect. On the same day, ConnectWise initiated contact with CISA, and on February 22, CISA added CVE-2024-1709 to its Known Exploited Vulnerabilities (KEV) Catalog.  

In addition, to provide timely information and support to our partners, we mobilized outreach communications through multiple channels, including security bulletins and advisories, partner emails, virtual events, and blogs. These communications emphasize the urgency to patch on-prem instances of ScreenConnect while providing our partners with the latest information, best practices, and support for this critical vulnerability.  

Anyone on a self-hosted instance running ScreenConnect 23.9.7 and prior. 

Partners no longer under maintenance are eligible to install version 22.4.20001 at no additional cost, which will fix both vulnerabilities. However, this should be treated as an interim step. ConnectWise recommends updating to the latest release to get all the current security patches and therefore all partners should upgrade to 23.9.8 or higher as outlined in the upgrade path below. 

Upgrade ScreenConnect to a patched version  

1. To upgrade to version 23.9.8 or later, please note there is a specific upgrade path that must be followed: 

1 → 2.5 → 3.1 → 4.4 → 5.4 → 19.2 → 22.8 → 23.3 → 23.9.8+ 

2. If you are not on maintenance and upgrading to 22.4.20001 (or your latest eligible version), please follow this specified upgrade path:  

2.1 → 2.5 → 3.1 → 4.4 → 5.4 → 19.2 → 22.4.20001 

For instructions on how to upgrade your on-premise installation click here. 

As a reminder and as part of the remediation process for on-prem partners—whether you have patched your server or still need to—it is critical to assess your systems for signs of impact while upgrading and before bringing any systems back online.  

To assist in the remediation and hardening process, we encourage you to review and follow the ConnectWise ScreenConnect Remediation and Hardening Guide by Mandiant for additional protection.  

Cloud partners  
Cloud partners are remediated against both vulnerabilities reported on February 19 (CVE-2024-1709, CVE-2024-1708). No further action is required from any cloud partner (“screenconnect.com” cloud and “hostedrmm.com”), but we recommend to trust but verify. Take this opportunity as a reason to review your configuration, user accounts, and access logs to verify that everything aligns with what you would expect.  
 
ScreenConnect agents are not directly impacted by this issue. As a best practice, partners should update their agents after a server upgrade, but it is not required to mitigate the vulnerability. Check the ConnectWise University for more information on reinstalling and upgrading an access agent. 

On-premise partners 
A patch is available to you if you are a self-hosted or on-premise partner; we urge you to update your servers to version 23.9.8 immediately to apply the patch. 

Link to patch: Download | ConnectWise ScreenConnect  

For instruction on updating to the newest release, please reference this doc: Upgrade an on-premise installation - ConnectWise 

As a reminder and as part of the remediation process for on-prem partners—whether you have patched your server or still need to—it is critical to assess your systems for signs of impact while upgrading and before bringing any systems back online.  

If you possess enhanced Windows event logs or endpoint detection and response (EDR) solutions, thorough investigation should be conducted to identify any suspicious activity, including evidence of commands run from webshells or other indicators of compromise.  

In the event of file anomalies or other indicators of compromise are identified, it is highly recommended to seek assistance from external response companies specializing in incident response and digital forensics. These companies possess the expertise necessary to effectively investigate and remediate security concerns.  

Review file system, enhanced Windows event logs or EDR solutions for suspicious activity, such as webshell commands or other compromise indicators.  

Seek assistance from specialized incident response and forensics firms if potential impacted files are identified.  

To assist in the remediation and hardening process, we encourage you to review and follow the ConnectWise ScreenConnect Remediation and Hardening Guide by Mandiant for additional protection.  

There are many things that a partner can do to protect themselves. In this situation, the most important thing you can do is patch your instances immediately! 

As a reminder and as part of the remediation process for on-prem partners—whether you have patched your server or still need to—it is critical to assess your systems for signs of impact while upgrading and before bringing any systems back online.  

To assist in the remediation and hardening process, we encourage you to review and follow the ConnectWise ScreenConnect Remediation and Hardening Guide by Mandiant for additional protection.  

ConnectWise cloud operations and engineering teams worked together to mitigate all ConnectWise hosted cloud instances of ScreenConnect within 48 hours of validation of the critical vulnerability. ConnectWise was able to mitigate the issue for partners in ConnectWise hosted environments without requiring a version update, because of the nature of the critical vulnerability. We next focused on creating a new build that patched both reported vulnerabilities and deployed it to partners in all cloud hosted environments (version 23.9.8). Cloud partners were not required to update agents to remediate the vulnerabilities. Partners on version 23.9.8 or higher are considered patched. 

ScreenConnect clients (agents) are not directly impacted by this issue. This is because the identified vulnerabilities involve an authentication bypass and path traversal issues within the server software itself (unpatched ScreenConnect instances version 23.9.7 and below), rather than any vulnerabilities within the client software that is installed on end-user devices. As a best practice, partners should update their agents after a server upgrade, but it is not required to mitigate this vulnerability. Check the ConnectWise University for more information on reinstalling and upgrading an access agent. 

Once the vulnerability was validated on February 14, 2024, ConnectWise cloud operations and engineering teams worked together to mitigate all ConnectWise hosted cloud instances of ScreenConnect. Due to the nature of the critical vulnerability, ConnectWise was able to mitigate the issue for partners in ConnectWise hosted environments quickly without requiring a version update. In tandem, we focused on creating new builds that patched both reported vulnerabilities for the current stable release and for versions dating back to 2022. The goal was to provide an upgrade path to a patched release to as many on-prem partners as possible. It took more time to update and QA multiple older builds for on-prem, whereas our cloud environments managed by ConnectWise were standardized to a smaller list of more current releases. 

ScreenConnect version 23.9.10 is just the next release of ScreenConnect. The vulnerabilities were patched in versions 23.9.8 or higher. Partners on 23.9.8 or higher are considered patched for CVE-2024-1708 and CVE-2024-1709. New releases in the cloud will be returning to our normal rolling schedule moving forward. 

If you suspect your ScreenConnect software may be compromised, prioritize securing your systems. Follow your existing incident response playbook to isolate the affected servers and create backups to analyze later. Don't put those servers back online until they're thoroughly investigated, rebuilt, and secured with the latest patches. 

Remember, a compromised ScreenConnect server might not be the only point of entry. Your incident response should encompass your entire system to identify and address any broader security vulnerabilities. We encourage you to review and follow the ConnectWise ScreenConnect Remediation and Hardening Guide by Mandiant . 

Whether you have patched your server or still need to—it is critical to assess your systems for signs of impact before bringing any systems back online, upgrading your server, or migrating your server.  We encourage partners to review and follow the ConnectWise ScreenConnect Remediation and Hardening Guide by Mandiant for additional protection.   

Review the guide thoroughly and pay particular attention to the Internal Users on your on-prem server to verify that there are no unknown internal user accounts. Review file system, enhanced Windows event logs or EDR solutions for suspicious activity, such as web shell commands or other compromise indicators. Please seek assistance from specialized incident response and forensics firms if potential impacted files are identified.    

Partners can then follow our instructions to migrate to the cloud: Migrate to ScreenConnect Cloud from a Windows server - ConnectWise. Post migration, partners should verify agent counts, uninstall agents, and decommission the on-premises server.  This should include removing DNS records and firewall rules allotted to the on premises ScreenConnect server. 

Licenses were paused for servers that have checked in using an unpatched version. You will be able to upgrade to the current/patched versions, and if the license is eligible for the installed version, it will automatically be restored by the license server. However, the key would still need to be valid for the version you're using. If the key is not valid, it will stay as revoked, and you'd need to upgrade the key. To update upgrade your on-prem license, click here.  

ScreenConnect clients (agents) are not directly impacted by this issue. This is because the identified vulnerabilities involve an authentication bypass and path traversal issues within the server software itself (unpatched ScreenConnect instances version 23.9.7 and below), rather than any vulnerabilities within the client software that is installed on end-user devices. Partners have notified us that certain A/V vendors have flagged agents. These reports should be registered as false positives to your vendors, but we're also working with select vendors to fix the issue. 

We went to great lengths to contact partners and previous partners regarding this issue through multiple channels (e.g., email, Trust Center with RSS feed, blog, media/news outlets, channel advocates, social media, webinars, phone calls, community forums).  

We’ve heard reports that messages went to junk or spam folders. To avoid this in the future, please set rules that allow ConnectWise communication to hit your primary inbox—add no-reply@connectwise.com to your safe sender list to ensure these important communications are delivered to your inbox. 

In addition, please update your primary contact details by reaching out to your dedicated account manager. You can also ensure your email preferences are correctly configured in our online self-service ConnectWise Profile and Preference Center (learn more here). 

To ensure you receive the latest security-related communications from ConnectWise, we highly recommend subscribing to the RSS feeds from our Trust Center to ensure you receive real-time notifications on the latest security advisories and bulletins.  

If you have confirmed that your primary contact information is accurate and you are still not receiving emails from our system, we kindly request that you share the primary contact email with us for further investigation. 

We encourage you to update your primary contact details by reaching out to your dedicated account manager. You can also ensure your email preferences are correctly configured in our online self-service ConnectWise Profile and Preference Center (learn more here).  

In addition, to avoid messages potentially going into a junk or spam folder, please set rules such as adding “no-reply@connectwise.com” to your safe sender list to ensure these important ConnectWise communications are delivered to the designated primary contact’s inbox.  

And if you have not done so yet, we highly recommend subscribing to the RSS feeds from our Trust Center to ensure you receive real-time notifications on the latest security advisories and bulletins.  

We apologize for any confusion. For cloud-hosted partners, including RMM/Command partners, while we communicated that there was no action needed, many believed they were still vulnerable because their ScreenConnect was showing a version older than 23.9.8. We took action to remediate the vulnerability for all cloud partners, but because partners did not have the new version installed, they thought they were still vulnerable. We rolled out full version upgrades to resolve this. Again, we apologize for any confusion and inconvenience, or original message may have caused. 

Some of our cloud-hosted partners (including RMM/Command partners) were concerned they were possibly compromised due to a brief downtime on February 21. This was due to an accelerated rollout of the formal patch version (23.9) to put us back on a proper release schedule. The average downtime for this was around 10 minutes.  

Check your Status/Overview page and review the Version Check. Review the Latest Eligible Version row; this will detail the latest version of ScreenConnect that your license permits you to upgrade to. 

Partners no longer under maintenance are eligible to install version 22.4.20001 at no additional cost, which will fix CVE-2024-1709, the critical vulnerability. However, this should be treated as an interim step. ConnectWise recommends updating to the latest release to get all the current security patches and therefore all partners should upgrade to 23.9.8 or higher using the upgrade path outlined above. 

For instructions on how to renew your license, please click here or contact our sales team at screenconnectsales@connectwise.com.   

As a reminder and as part of the remediation process for on-prem partners—whether you have patched your server or still need to—it is critical to assess your systems for signs of impact while upgrading and before bringing any systems back online.  

Once you have patched your on-prem instance of ScreenConnect to the latest version, you should review users with access to ScreenConnect, remove any that are not recognized, change passwords, and enable MFA.  

If you are using any extensions, please validate them and remove/add them again. Once all steps are completed restart the server. 

To assist in the remediation and hardening process, we encourage you to review and follow the ConnectWise ScreenConnect Remediation and Hardening Guide by Mandiant for additional protection.  

ScreenConnect clients (agents) are not directly impacted by this issue. This is because the identified vulnerabilities involve an authentication bypass and path traversal issues within the server software itself (unpatched ScreenConnect instances version 23.9.7 and below), rather than any vulnerabilities within the client software that is installed on end-user devices. As a best practice, partners should update their agents after a server upgrade, but it is not required to mitigate the vulnerability. Check the ConnectWise University for more information on reinstalling and upgrading an access agent. 

We are unaware of any confirmed connection between the ConnectWise ScreenConnect vulnerability disclosed on February 19, 2024, and the incident at Change Healthcare. 

Our internal reviews have yet to identify Change Healthcare as a ScreenConnect customer, and none of our extensive network of MSPs have come forward with any information regarding their association with Change Healthcare. 

You can read our official response to this question in its entirety here. 

We maintain a robust "shift left" security program with continuous and ongoing investments, such as embedded security champions, threat modeling, code review, automated scanning and fuzzing, and both internal and external dedicated application penetration testing. However, even with all those best practices in place, vulnerabilities can still be discovered. This is true for the software industry, as exemplified by industry events like Patch Tuesday (also known as Update Tuesday), which has been around for over 20 years. 

An additional focus is on continuously improving our vulnerability identification and response processes. A key component of this effort is our vulnerability disclosure program found on our Trust Center. This program highlights our commitment to collaborating with independent researchers, industry organizations, partners, and the greater community across the globe in identifying weaknesses in any technology and helps ensure that reported vulnerabilities are handled ethically and responsibly, playing a crucial role in prioritization for remediation. 

The recent vulnerabilities were reported through our vulnerability disclosure program and demonstrates the effectiveness of this program. We continue to focus on preventing vulnerabilities and how we respond, react, and keep you informed when they do occur.   

To ensure you receive the latest security-related communications from ConnectWise, we highly recommend subscribing to the RSS feeds from our Trust Center to ensure you receive real-time notifications on the latest security advisories and bulletins.  

If you have questions or need to report a security or privacy incident, please visit our ConnectWise Trust Center. You can also call our Partner InfoSec Hotline at 1-888-WISE911 to report a non-active security incident or a security vulnerability. 

We are communicating in many platforms to make sure you stay informed. However, our FAQ page will capture the latest questions that are frequently asked as this evolves. We also encourage to go online to our Trust Center for the latest advisories and bulletins for more information. For real-time updates, we recommend subscribing to the ConnectWise security bulletin RSS feed.  

If you do not find what you are looking for here and you need additional assistance or have more questions, please go online to ConnectWise Home and open a case with our support team or email help@connectwise.com.