CVE-2023-25718
📋 TL;DR
This vulnerability in ConnectWise Control (formerly ScreenConnect) allows attackers to modify signed executable files without invalidating their digital signatures. Attackers can trick users into downloading and executing malicious files that appear legitimate. All ConnectWise Control installations through version 22.9.10032 are affected.
💻 Affected Systems
- ConnectWise Control (formerly ScreenConnect)
📦 What is this software?
Control by Connectwise
⚠️ Risk & Real-World Impact
Worst Case
Attackers could distribute malware that appears to be legitimate ConnectWise Control executables, leading to complete system compromise, data theft, and lateral movement across networks.
Likely Case
Users download and execute attacker-controlled files thinking they're legitimate ConnectWise Control updates or components, resulting in malware installation and potential credential theft.
If Mitigated
With proper configuration options enabled, the risk is reduced but not eliminated; users might still be prompted but would have additional warnings.
🎯 Exploit Status
Proof-of-concept demonstrates DNS spoofing to deliver malicious executables; exploitation requires user interaction but is technically simple.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.9.10033 and later
Vendor Advisory: https://www.connectwise.com
Restart Required: Yes
Instructions:
1. Download latest ConnectWise Control version from vendor portal. 2. Backup current installation. 3. Run installer to upgrade. 4. Restart ConnectWise Control services.
🔧 Temporary Workarounds
Enable additional security prompts
allConfigure ConnectWise Control to show additional warnings before executable downloads
Network segmentation
allRestrict ConnectWise Control server network access to prevent DNS spoofing attacks
🧯 If You Can't Patch
- Implement strict application whitelisting to prevent unauthorized executable execution
- Deploy network monitoring to detect DNS spoofing and unusual executable downloads
🔍 How to Verify
Check if Vulnerable:
Check ConnectWise Control version in web interface or installation directoryCheck Version:
On Windows: Check Help > About in ConnectWise Control interfaceVerify Fix Applied:
Verify version is 22.9.10033 or higher and check that digital signature validation is functioning📡 Detection & Monitoring
Log Indicators:
- Unexpected executable downloads via ConnectWise Control
- Multiple failed signature validation attempts
Network Indicators:
- DNS spoofing attempts targeting ConnectWise domains
- Unusual outbound connections from ConnectWise servers
SIEM Query:
source="connectwise" AND (event="executable_download" OR event="signature_validation_failure")🔗 References
- https://cybir.com/2022/cve/connectwise-control-dns-spoofing-poc/
- https://m.youtube.com/watch?v=fbNVUgmstSc&pp=0gcJCf0Ao7VqN5tD
- https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-security-disclosures
- https://cybir.com/2022/cve/connectwise-control-dns-spoofing-poc/
- https://www.connectwise.com
- https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-security-disclosures
- https://www.huntress.com/blog/clearing-the-air-overblown-claims-of-vulnerabilities-exploits-severity
