ConnectWise ScreenConnect 23.8 Security Fix

11/20/2023
Products: Automate, ScreenConnect
Severity: Important
Priority: 1 - High

Date: 11/20/2023

Product(s): ConnectWise ScreenConnect, ConnectWise Automate (cloud instances only where ScreenConnect is installed)

Severity: Important

Priority: 1—High

Vulnerability

CVE-2023-47256: ConnectWise ScreenConnect through 23.8.4 allows local users to connect to arbitrary relay servers via implicit trust of proxy settings.


CVE-2023-47257: ConnectWise ScreenConnect through 23.8.4 allows man-in-the-middle attackers to achieve remote code execution via crafted messages.

Severity

Important—Vulnerabilities that could compromise confidential data or other processing resources but require additional access / privilege to do so.

Priority 

1—Vulnerabilities that are either being targeted or have higher risk of being targeted by exploits in the wild. Recommend installing updates as emergency changes or as soon as possible (e.g., within days).  

Affected versions

ConnectWise ScreenConnect versions 23.8 and earlier are impacted, in addition to ConnectWise Automate cloud instances where ScreenConnect is installed.

Remediation

CLOUD:

Cloud instances are being automatically updated on a rolling schedule; however, administrators can manually force this update through cloud.screenconnect.com. See the following steps to upgrade:

ON-PREMISE:

Please upgrade to ScreenConnect version 23.8.5 and update your guest clients to the same version.

Automate partners with ConnectWise ScreenConnect:

For Automate partners with the ScreenConnect plugin, to check if a new build has been released for your ScreenConnect installation visit: Upgrading ConnectWise ScreenConnect via the Plugin.