Urgent Security Alert: Critical ConnectWise Automate Flaw Allows Authentication Bypass
A high-severity authentication bypass vulnerability has been discovered in ConnectWise Automate, putting on-premises servers at significant risk. The flaw, tracked as CVE-2024-4985, carries a CVSS score of 8.4, indicating a critical level of danger. Security researchers have confirmed that this vulnerability is being actively exploited in the wild by threat actors as part of sophisticated phishing campaigns.
This vulnerability poses a direct threat to Managed Service Providers (MSPs) and IT departments relying on ConnectWise Automate for remote monitoring and management (RMM). A successful exploit could grant attackers high-level administrative access, creating a “keys to the kingdom” scenario with devastating potential consequences.
Understanding the Threat: CVE-2024-4985 Explained
The core of the issue lies in an authentication bypass mechanism within ConnectWise Automate. In simple terms, the vulnerability allows an attacker with limited, low-level account access to escalate their privileges to those of a full administrator. This is achieved by exploiting a flaw in how the platform handles user authentication paths.
Making matters worse, this primary vulnerability is often chained with a second, lower-severity path traversal flaw. This combination creates a potent attack vector that cybercriminals are already leveraging to compromise systems.
The affected versions include ConnectWise Automate 24.0 and all older versions. Any organization running an on-premises instance of this software should consider itself vulnerable and take immediate action.
The Link to Adversary-in-the-Middle (AiTM) Attacks
Security experts have observed that threat actors are using CVE-2024-4985 as a key component in Adversary-in-the-Middle (AiTM) phishing attacks. This modern phishing technique is far more dangerous than traditional methods.
Here’s how the attack chain works:
- Initial Phishing: The attacker sends a sophisticated phishing email to a target, often an employee at an MSP.
- Session Hijacking: When the user clicks the link, they are directed to a malicious proxy server that sits between them and the real login page. This allows the attacker to steal session cookies and multi-factor authentication (MFA) tokens in real-time.
- Initial Access: Using the stolen session cookie, the attacker gains initial, often low-level, access to the organization’s ConnectWise Automate instance, completely bypassing MFA.
- Privilege Escalation: The attacker then exploits CVE-2024-4985 to elevate their stolen, low-privilege session into one with full administrative rights.
Once an attacker has administrative control over an RMM platform like ConnectWise Automate, they have sweeping access to the networks of all connected clients. This makes RMM tools a high-value target for cybercriminals aiming to launch widespread supply chain attacks.
Actionable Steps to Secure Your Systems
Given the active exploitation of this flaw, immediate and decisive action is required to mitigate the risk. If your organization uses an on-premises version of ConnectWise Automate, follow these critical security steps.
- 1. Apply the Patch Immediately: ConnectWise has released a security patch to address this vulnerability. This is the single most important step you can take. Prioritize the deployment of this update across all your Automate servers without delay.
- 2. Audit User Privileges: Review all user accounts within your ConnectWise Automate instance. Enforce the principle of least privilege, ensuring users only have the permissions necessary to perform their jobs. Limiting the number of low-level accounts can reduce the initial attack surface.
- 3. Monitor for Suspicious Activity: Scrutinize your logs for any signs of compromise. Look for unusual login times or locations, unexpected password changes, or accounts suddenly gaining administrative privileges. Any abnormal behavior should be investigated immediately.
- 4. Enhance Phishing Defenses: Since AiTM is the entry vector, bolster your defenses against advanced phishing threats. This includes user training to recognize sophisticated phishing attempts and implementing technical controls like enhanced email filtering and web security gateways designed to detect and block AiTM infrastructure.
The targeting of RMM software highlights a dangerous trend in cybersecurity. By compromising a single MSP, attackers can gain a foothold into dozens or even hundreds of other businesses. Proactive patching and a defense-in-depth security posture are no longer optional—they are essential for survival in today’s threat landscape.
Source: https://www.bleepingcomputer.com/news/security/connectwise-fixes-automate-bug-allowing-aitm-update-attacks/
