Remote Code Execution Vulnerability in ConnectWise Control by ConnectWise
CVE-2019-16514

7.2HIGH

Key Information:

Vendor

Connectwise
Status
Control
Vendor
CVE Published:
23 January 2020

What is CVE-2019-16514?

A vulnerability exists within ConnectWise Control (formerly ScreenConnect) version 19.3.25270.7185, which permits remote code execution. This issue arises because the server allows administrative users to upload an unsigned extension ZIP file that contains executable code. Upon uploading, the server executes the code without validating its integrity, creating a pathway for attackers to exploit the system.

References

https://know.bishopfox.com/advisories
x_refsource_MISC
https://know.bishopfox.com/advisories/connectwise-control
x_refsource_MISC
https://blog.huntresslabs.com/validating-the-bishop-fox-f...
x_refsource_MISC

EPSS Score

8% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.