ConnectWise has launched software package updates to handle two security flaws in its ScreenConnect remote desktop and accessibility application, including a critical bug that could enable distant code execution on impacted techniques.
The vulnerabilities, which now lack CVE identifiers, are outlined down below –
- Authentication bypass applying an alternate path or channel (CVSS rating: 10.)
- Incorrect limitation of a pathname to a limited directory aka “route traversal” (CVSS score: 8.4)
The company deemed the severity of the issues as critical, citing they “could allow for the skill to execute distant code or directly impression confidential knowledge or critical units.”
The two the vulnerabilities impression ScreenConnect versions 23.9.7 and prior, with fixes accessible in model 23.9.8. The flaws ended up claimed to the enterprise on February 13, 2024.
Even though there is no evidence that the shortcomings have been exploited in the wild, users who are jogging self-hosted or on-premise versions are advised to update to the most current edition as soon as attainable.
“ConnectWise will also present updated versions of releases 22.4 as a result of 23.9.7 for the critical issue, but strongly propose that companions update to ScreenConnect model 23.9.8,” ConnectWise explained.
Located this write-up fascinating? Adhere to us on Twitter and LinkedIn to read more exceptional content material we publish.
Some parts of this article are sourced from:
thehackernews.com