ConnectWise has announced a new critical vulnerability for the administrative side of ScreenConnect. This vulnerability is rated as a CVSS 10.0 and can be remotely exploited without credentials. Affected versions are ScreenConnect 23.9.7 and prior. This only applies to the server side application and not the ScreenConnect client.
The OIT and Trinity-managed ScreenConnect services have already been patched. If anyone else is operating a ScreenConnect server, you must patch it immediately. We expect this vulnerability will be exploited by bad actors very soon.
Full details: https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
Please contact site@duke.edu with any questions.
