CISA Warning: Attacks on ConnectWise ScreenConnect and Windows Shell
The US cybersecurity agency CISA warns of observed attacks on the Windows Shell and ConnectWise ScreenConnect.
(Image: Titima Ongkantong/Shutterstock.com)
Attackers are targeting vulnerabilities in ConnectWise ScreenConnect and the Windows Shell. The US cybersecurity agency CISA is now warning of attacks on these.
In its statement, CISA announced that it has added two exploited vulnerabilities to its Known Exploited Vulnerabilities catalog, but the agency did not provide further details. The scope, nature, and consequences of the attacks are therefore unclear. However, CVE vulnerability entries sometimes allow for other conclusions to be drawn. For example, attacks on the Windows Shell became known yesterday (Tuesday) (CVE-2026-32202, CVSS 4.3, risk “medium”). Akamai, for instance, has published more in-depth background information, classifying the leak as a zero-click vulnerability and discussing how attackers can exploit it to steal Net-NTLM-v2 hashes and misuse them in NTLM relay attacks, which they are now doing in practice.
The security vulnerability in ConnectWise ScreenConnect, which malicious actors are exploiting, has been known since February 2024 (CVE-2024-1708, CVSS 8.4, risk “high”). Since then, there have also been updates to the Remote Monitoring and Management (RMM) software. Here, IT security researchers from Huntress provide helpful hints – which date back to mid-February but are apparently still relevant.
Exploited ScreenConnect Vulnerability
The CVE-2024-1708 vulnerability is a so-called path traversal vulnerability, which allows attackers to deploy malicious code on vulnerable systems. According to Huntress, malicious actors are using this with the CVE-2024-1709 vulnerability (CVSS 10.0, risk “critical”), which enables authentication bypass. The attack using combined vulnerabilities has been named “SlashAndGrab.” ConnectWise ScreenConnect versions 23.9.7 and earlier are affected; the fix was released with ScreenConnect 23.9.8 and later.
Videos by heise
IT administrators should close the security vulnerabilities by applying the available patches. Those using ConnectWise ScreenConnect can also find some indicators of compromise (IOCs) in the Huntress analysis, which can be used to scan systems.
(dmk)
