February 29, 2024 update:
Cloud partner summary:
Cloud partners are remediated against both vulnerabilities reported on February 19. No further action is required from any cloud partner (“screenconnect.com” cloud and “hostedrmm.com”).
On-prem partner summary:
On-prem partners are advised to immediately upgrade to the latest version of ScreenConnect to remediate against reported vulnerabilities.
Active maintenance
If you are on active maintenance, we strongly recommend upgrading to the most current release of 23.9.8 or later. Using the most current release of ScreenConnect includes security updates, bug fixes, and enhancements not found in older releases.
Off maintenance
ConnectWise has provided a patched version of 22.4.20001 available to any partner regardless of maintenance status as an interim step to mitigate the vulnerability. If you are not currently under maintenance, please upgrade your servers to version 22.4.20001 at minimum or to your latest eligible patched version that includes the remediation for CVE-2024-1709.
Upgrade ScreenConnect to a patched version immediately
1. To upgrade to version 23.9.8 or later, please note there is a specific upgrade path that must be followed:
2.1 → 2.5 → 3.1 → 4.4 → 5.4 → 19.2 → 22.8 → 23.3 → 23.9.8+
2. If you are not on maintenance and upgrading to 22.4.20001 (or your latest eligible version), please follow this specified upgrade path:
2.1 → 2.5 → 3.1 → 4.4 → 5.4 → 19.2 → 22.4.20001
For instructions on how to upgrade your on-premise installation click here.
Addressing license errors
If a license error arises during the upgrade, please stop the four ScreenConnect services (Session Manager, Security Manager, Web Server, Relay), move the “License.xml” file from the installation folder “C:\Program Files (x86)\ScreenConnect\App_Data\License.xml” to another location such as Desktop, and proceed with the upgrade. After the upgrade is complete, the license key will need to be re-added by stopping the four services and dropping the file back into the App_Data folder.
February 21 original advisory:
If you suspect you have been compromised related to the recent ConnectWise ScreenConnect™ vulnerability (CWE-288), please follow the mitigation steps below.
1. Upgrade ScreenConnect to the current 23.9.8 version immediately
- Please note, there is an upgrade path that must be followed*
2.1 → 2.5 → 3.1 → 4.4 → 5.4 →19.2→22.8→23.3→ 23.9
- Click here to upgrade your on-premise installation
2. If you receive a license error when upgrading, it may be due to a technical problem on the server, or the license key itself may need to be renewed*.
If the upgrade cannot be completed, please delete the SetupWizard.aspx file out of the installation folder:
C:\Program Files (x86)\ScreenConnect\SetupWizard.aspx
*Please see the February 29, 2024 advisory update to review the amended upgrade path and instructions on how to address licensing errors.
3. Identify the issue
- When compromised, the User.xml file on the ScreenConnect instance is reset and replaced with a new file that contains only information about one new user
C:\Program Files (x86)\ScreenConnect\App_Data\User.xml
- This file can be restored from a backup to get the original users back (if applicable)
- If you don’t have a user backup, the user file can be reset again by following the process outlined here.
4. Once you are able to log in, check for malicious commands/tools or connections.
- Install the Report Manager extension on the Admin > Extensions page > Browse Extension Marketplace button
- Launch Report Manager from the Admin page > Extras menu (4x boxes lower left corner) > Report Manager
- There are pre-built reports that will export data as a CSV. All reports show the last 30 days of data by default (this is dependent on the database maintenance plans)
- Host Session Connections—shows all connections made to devices
- Queued Commands Example—shows all remote commands run against devices
- Queued Toolbox Items Example—shows all toolbox items that were queued up
Support
If you need any assistance or have additional questions, please go online to ConnectWise Home and open a case with our support team or email help@connectwise.com.
Report a security incident
If you have questions or need to report a security or privacy incident, please visit our ConnectWise Trust Center. You can also call our Partner InfoSec Hotline at 1-888-WISE911 to report a non-active security incident or a security vulnerability.