ConnectWise BCDR and R1Soft Server Backup Manager Critical Security Release

10/28/2022
Products: Recover
Severity: Critical
Priority: 1 - High

Vulnerability 

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component.

Severity 

Critical – Vulnerabilities that could allow the ability to execute remote code or directly access confidential data.

Priority  

1 – Vulnerabilities that are either being targeted or have a higher risk of being targeted by exploits in the wild. Recommend patching as soon as possible.  

Affected versions 

ConnectWise Recover: Recover v2.9.7 and earlier versions are impacted.

R1Soft: SBM v6.16.3 and earlier versions are impacted.

Remediation 

ConnectWise Recover:

Affected ConnectWise Recover SBMs have automatically been updated to the latest version of Recover (v2.9.9).

R1Soft:

Upgrade the server backup manager to SBM v6.16.4 released October 28, 2022 using the R1Soft upgrade wiki.

Please refer to the release notes for more information. 

Additional information 

Visit home.connectwise.com/securityBulletin/635bd34f6e80800001cdcfbe