Vulnerability gives attackers a way to target thousands of MSPs and their downstream customers. Company urges customers to treat issue as a top priority [298 words].
What: ConnectWise has patched a critical, remote code execution vulnerability in its ConnectWise Recover and R1Soft Server Backup Manager (SBM) software. The flaw exists in ConnectWise Recover SBM v2.9.7 and earlier and R1Soft SBM v6.16.3 and earlier. ConnectWise has automatically updated vulnerable versions of ConnectWise Recover to version v2.9.9. Organizations using R1Soft SBM should immediately upgrade to SBM v6.16.4 released October 28, 2022 via the R1Soft upgrade wiki.
The vulnerability stems from an authentication bypass issue in the ZK Java library embedded in affected versions of ConnectWise software. The ZK library vulnerability was disclosed and fixed earlier this year but continued to be bundled in the affected ConnectWise products.
Why the flaw matters: The vulnerability exists in technology that is relatively widely used by managed service providers. Researchers at Huntress Labs who reported the issue to ConnectWise developed an attack chain showing how threat actors could leverage the ZK flaw to bypass authentication, upload a backdoored JFBC database driver to gain remote code execution and use the REST API to trigger commands for distributing Lockbit 3.0 ransomware to all connected, downstream endpoints.
Huntress said a Shodan search showed more than 5,000 exposed ConnectWise SBMs that had the potential to be exploited in this manner. Because those using the affected servers are mostly MSPs, the actual number of organizations that could be compromised via the flaw is likely much higher, Huntress said.
ConnectWise disclosure: ConnectWise Recover and R1Soft Server Backup Manager Critical Security Release